The branch main has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=4bb3b365776458bd8f710e40f97e2c68994e3306
commit 4bb3b365776458bd8f710e40f97e2c68994e3306
Author: Kristof Provost <k...@freebsd.org>
AuthorDate: 2025-07-18 14:55:35 +0000
Commit: Kristof Provost <k...@freebsd.org>
CommitDate: 2025-07-23 13:35:47 +0000
pf: unify DPFPRINTF definitions
We define DPFPRINTF() in a few different versions in most pf source files.
Move to one definition in pfvar.h and use that one everywhere.
While here change it to add an endline, as OpenBSD does, so we consistently
end
all logs with an endline.
Also add a static probe point to ease future debugging. This way we can
detect
log evens even when logging is disabled, and extract more information (e.g.
stack traces, frequency, ...).
Sponsored by: Rubicon Communications, LLC ("Netgate")
---
sys/net/pfvar.h | 8 +++
sys/netpfil/pf/if_pfsync.c | 16 +++--
sys/netpfil/pf/pf.c | 135 ++++++++++++++++++++---------------------
sys/netpfil/pf/pf_ioctl.c | 48 +++++++--------
sys/netpfil/pf/pf_lb.c | 22 +++----
sys/netpfil/pf/pf_norm.c | 109 +++++++++++++++++----------------
sys/netpfil/pf/pf_osfp.c | 17 +++---
sys/netpfil/pf/pf_ruleset.c | 13 ++--
sys/netpfil/pf/pf_syncookies.c | 6 +-
sys/netpfil/pf/pf_table.c | 4 +-
10 files changed, 187 insertions(+), 191 deletions(-)
diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index efc884398e7b..d55afe750869 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -331,6 +331,14 @@ MALLOC_DECLARE(M_PF_RULE_ITEM);
SDT_PROVIDER_DECLARE(pf);
SDT_PROBE_DECLARE(pf, , test, reason_set);
+SDT_PROBE_DECLARE(pf, , log, log);
+
+#define DPFPRINTF(n, fmt, x...) \
+ do { \
+ SDT_PROBE2(pf, , log, log, (n), fmt); \
+ if (V_pf_status.debug >= (n)) \
+ printf(fmt "\n", ##x); \
+ } while (0)
struct pfi_dynaddr {
TAILQ_ENTRY(pfi_dynaddr) entry;
diff --git a/sys/netpfil/pf/if_pfsync.c b/sys/netpfil/pf/if_pfsync.c
index 4e03584b8f85..ee10a997c977 100644
--- a/sys/netpfil/pf/if_pfsync.c
+++ b/sys/netpfil/pf/if_pfsync.c
@@ -110,8 +110,6 @@
#include <netpfil/pf/pfsync_nv.h>
-#define DPFPRINTF(n, x) if (V_pf_status.debug >= (n)) printf x
-
struct pfsync_bucket;
struct pfsync_softc;
@@ -597,9 +595,9 @@ pfsync_state_import(union pfsync_state_union *sp, int
flags, int msg_version)
if ((rpool_first == NULL) ||
(TAILQ_NEXT(rpool_first, entries) != NULL)) {
DPFPRINTF(PF_DEBUG_MISC,
- ("%s: can't recover routing information "
- "because of empty or bad redirection
pool\n",
- __func__));
+ "%s: can't recover routing information "
+ "because of empty or bad redirection pool",
+ __func__);
return ((flags & PFSYNC_SI_IOCTL) ? EINVAL : 0);
}
rt = r->rt;
@@ -610,8 +608,8 @@ pfsync_state_import(union pfsync_state_union *sp, int
flags, int msg_version)
* give up on recovering.
*/
DPFPRINTF(PF_DEBUG_MISC,
- ("%s: can't recover routing information "
- "because of different ruleset\n", __func__));
+ "%s: can't recover routing information "
+ "because of different ruleset", __func__);
return ((flags & PFSYNC_SI_IOCTL) ? EINVAL : 0);
}
break;
@@ -624,8 +622,8 @@ pfsync_state_import(union pfsync_state_union *sp, int
flags, int msg_version)
rt_kif = pfi_kkif_find(sp->pfs_1400.rt_ifname);
if (rt_kif == NULL) {
DPFPRINTF(PF_DEBUG_MISC,
- ("%s: unknown route interface: %s\n",
- __func__, sp->pfs_1400.rt_ifname));
+ "%s: unknown route interface: %s",
+ __func__, sp->pfs_1400.rt_ifname);
return ((flags & PFSYNC_SI_IOCTL) ? EINVAL : 0);
}
rt = sp->pfs_1400.rt;
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 9ef69ee09bb8..c669be47b063 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -119,8 +119,6 @@
#include <machine/in_cksum.h>
#include <security/mac/mac_framework.h>
-#define DPFPRINTF(n, x) if (V_pf_status.debug >= (n)) printf x
-
SDT_PROVIDER_DEFINE(pf);
SDT_PROBE_DEFINE2(pf, , test, reason_set, "int", "int");
SDT_PROBE_DEFINE4(pf, ip, test, done, "int", "int", "struct pf_krule *",
@@ -161,6 +159,7 @@ SDT_PROBE_DEFINE2(pf, eth, test_rule, match, "int", "struct
pf_keth_rule *");
SDT_PROBE_DEFINE2(pf, eth, test_rule, final_match,
"int", "struct pf_keth_rule *");
SDT_PROBE_DEFINE2(pf, purge, state, rowcount, "int", "size_t");
+SDT_PROBE_DEFINE2(pf, , log, log, "int", "const char *");
/*
* Global variables
@@ -4617,8 +4616,8 @@ pf_match_rcvif(struct mbuf *m, struct pf_krule *r)
if (kif == NULL) {
DPFPRINTF(PF_DEBUG_URGENT,
- ("%s: kif == NULL, @%d via %s\n", __func__, r->nr,
- r->rcv_ifname));
+ "%s: kif == NULL, @%d via %s", __func__, r->nr,
+ r->rcv_ifname);
return (0);
}
@@ -5244,8 +5243,8 @@ pf_test_eth_rule(int dir, struct pfi_kkif *kif, struct
mbuf **m0)
if (__predict_false(m->m_len < sizeof(struct ether_header)) &&
(m = *m0 = m_pullup(*m0, sizeof(struct ether_header))) == NULL) {
DPFPRINTF(PF_DEBUG_URGENT,
- ("%s: m_len < sizeof(struct ether_header)"
- ", pullup failed\n", __func__));
+ "%s: m_len < sizeof(struct ether_header)"
+ ", pullup failed", __func__);
return (PF_DROP);
}
e = mtod(m, struct ether_header *);
@@ -6170,8 +6169,8 @@ pf_create_state(struct pf_krule *r, struct pf_test_ctx
*ctx,
&s->src, &s->dst, &ctx->rewrite)) {
/* This really shouldn't happen!!! */
DPFPRINTF(PF_DEBUG_URGENT,
- ("%s: tcp normalize failed on first "
- "pkt\n", __func__));
+ "%s: tcp normalize failed on first "
+ "pkt", __func__);
goto csfailed;
}
} else if (pd->proto == IPPROTO_SCTP) {
@@ -7967,8 +7966,8 @@ pf_test_state_icmp(struct pf_kstate **state, struct
pf_pdesc *pd,
if (!pf_pull_hdr(pd->m, ipoff2, &h2, sizeof(h2),
NULL, reason, pd2.af)) {
DPFPRINTF(PF_DEBUG_MISC,
- ("pf: ICMP error message too short "
- "(ip)\n"));
+ "pf: ICMP error message too short "
+ "(ip)");
return (PF_DROP);
}
/*
@@ -7998,8 +7997,8 @@ pf_test_state_icmp(struct pf_kstate **state, struct
pf_pdesc *pd,
if (!pf_pull_hdr(pd->m, ipoff2, &h2_6, sizeof(h2_6),
NULL, reason, pd2.af)) {
DPFPRINTF(PF_DEBUG_MISC,
- ("pf: ICMP error message too short "
- "(ip6)\n"));
+ "pf: ICMP error message too short "
+ "(ip6)");
return (PF_DROP);
}
pd2.off = ipoff2;
@@ -8051,8 +8050,8 @@ pf_test_state_icmp(struct pf_kstate **state, struct
pf_pdesc *pd,
if (!pf_pull_hdr(pd->m, pd2.off, th, 8, NULL, reason,
pd2.af)) {
DPFPRINTF(PF_DEBUG_MISC,
- ("pf: ICMP error message too short "
- "(tcp)\n"));
+ "pf: ICMP error message too short "
+ "(tcp)");
return (PF_DROP);
}
pd2.pcksum = &pd2.hdr.tcp.th_sum;
@@ -8246,8 +8245,8 @@ pf_test_state_icmp(struct pf_kstate **state, struct
pf_pdesc *pd,
if (!pf_pull_hdr(pd->m, pd2.off, uh, sizeof(*uh),
NULL, reason, pd2.af)) {
DPFPRINTF(PF_DEBUG_MISC,
- ("pf: ICMP error message too short "
- "(udp)\n"));
+ "pf: ICMP error message too short "
+ "(udp)");
return (PF_DROP);
}
pd2.pcksum = &pd2.hdr.udp.uh_sum;
@@ -8378,8 +8377,8 @@ pf_test_state_icmp(struct pf_kstate **state, struct
pf_pdesc *pd,
if (! pf_pull_hdr(pd->m, pd2.off, sh, sizeof(*sh),
NULL, reason,
pd2.af)) {
DPFPRINTF(PF_DEBUG_MISC,
- ("pf: ICMP error message too short "
- "(sctp)\n"));
+ "pf: ICMP error message too short "
+ "(sctp)");
return (PF_DROP);
}
pd2.pcksum = &pd2.sctp_dummy_sum;
@@ -8409,8 +8408,8 @@ pf_test_state_icmp(struct pf_kstate **state, struct
pf_pdesc *pd,
if (src->scrub->pfss_v_tag != sh->v_tag) {
DPFPRINTF(PF_DEBUG_MISC,
- ("pf: ICMP error message has incorrect "
- "SCTP v_tag\n"));
+ "pf: ICMP error message has incorrect "
+ "SCTP v_tag");
return (PF_DROP);
}
@@ -8533,8 +8532,8 @@ pf_test_state_icmp(struct pf_kstate **state, struct
pf_pdesc *pd,
if (!pf_pull_hdr(pd->m, pd2.off, iih, ICMP_MINLEN,
NULL, reason, pd2.af)) {
DPFPRINTF(PF_DEBUG_MISC,
- ("pf: ICMP error message too short i"
- "(icmp)\n"));
+ "pf: ICMP error message too short i"
+ "(icmp)");
return (PF_DROP);
}
pd2.pcksum = &pd2.hdr.icmp.icmp_cksum;
@@ -8653,8 +8652,8 @@ pf_test_state_icmp(struct pf_kstate **state, struct
pf_pdesc *pd,
if (!pf_pull_hdr(pd->m, pd2.off, iih,
sizeof(struct icmp6_hdr), NULL, reason, pd2.af)) {
DPFPRINTF(PF_DEBUG_MISC,
- ("pf: ICMP error message too short "
- "(icmp6)\n"));
+ "pf: ICMP error message too short "
+ "(icmp6)");
return (PF_DROP);
}
pd2.pcksum = &pd2.hdr.icmp6.icmp6_cksum;
@@ -9084,7 +9083,7 @@ pf_route(struct pf_krule *r, struct ifnet *oifp,
}
if (m0->m_len < sizeof(struct ip)) {
DPFPRINTF(PF_DEBUG_URGENT,
- ("%s: m0->m_len < sizeof(struct ip)\n", __func__));
+ "%s: m0->m_len < sizeof(struct ip)", __func__);
SDT_PROBE1(pf, ip, route_to, drop, __LINE__);
goto bad;
}
@@ -9389,8 +9388,8 @@ pf_route6(struct pf_krule *r, struct ifnet *oifp,
}
if (m0->m_len < sizeof(struct ip6_hdr)) {
DPFPRINTF(PF_DEBUG_URGENT,
- ("%s: m0->m_len < sizeof(struct ip6_hdr)\n",
- __func__));
+ "%s: m0->m_len < sizeof(struct ip6_hdr)",
+ __func__);
SDT_PROBE1(pf, ip6, route_to, drop, __LINE__);
goto bad;
}
@@ -9685,7 +9684,7 @@ pf_test_eth(int dir, int pflags, struct ifnet *ifp,
struct mbuf **m0,
if (kif == NULL) {
DPFPRINTF(PF_DEBUG_URGENT,
- ("%s: kif == NULL, if_xname %s\n", __func__,
ifp->if_xname));
+ "%s: kif == NULL, if_xname %s", __func__, ifp->if_xname);
return (PF_DROP);
}
if (kif->pfik_flags & PFI_IFLAG_SKIP)
@@ -9807,7 +9806,7 @@ pf_walk_option(struct pf_pdesc *pd, struct ip *h, int
off, int end,
/* IP header in payload of ICMP packet may be too short */
if (pd->m->m_pkthdr.len < end) {
- DPFPRINTF(PF_DEBUG_MISC, ("IP option too short\n"));
+ DPFPRINTF(PF_DEBUG_MISC, "IP option too short");
REASON_SET(reason, PFRES_SHORT);
return (PF_DROP);
}
@@ -9826,18 +9825,18 @@ pf_walk_option(struct pf_pdesc *pd, struct ip *h, int
off, int end,
continue;
}
if (off + 2 > end) {
- DPFPRINTF(PF_DEBUG_MISC, ("IP length opt\n"));
+ DPFPRINTF(PF_DEBUG_MISC, "IP length opt");
REASON_SET(reason, PFRES_IPOPTIONS);
return (PF_DROP);
}
length = opts[off + 1];
if (length < 2) {
- DPFPRINTF(PF_DEBUG_MISC, ("IP short opt\n"));
+ DPFPRINTF(PF_DEBUG_MISC, "IP short opt");
REASON_SET(reason, PFRES_IPOPTIONS);
return (PF_DROP);
}
if (off + length > end) {
- DPFPRINTF(PF_DEBUG_MISC, ("IP long opt\n"));
+ DPFPRINTF(PF_DEBUG_MISC, "IP long opt");
REASON_SET(reason, PFRES_IPOPTIONS);
return (PF_DROP);
}
@@ -9883,7 +9882,7 @@ pf_walk_header(struct pf_pdesc *pd, struct ip *h, u_short
*reason)
/* According to RFC 1112 ttl must be set to 1. */
if ((h->ip_ttl != 1) ||
!IN_MULTICAST(ntohl(h->ip_dst.s_addr))) {
- DPFPRINTF(PF_DEBUG_MISC, ("Invalid IGMP\n"));
+ DPFPRINTF(PF_DEBUG_MISC, "Invalid IGMP");
REASON_SET(reason, PFRES_IPOPTIONS);
return (PF_DROP);
}
@@ -9901,7 +9900,7 @@ pf_walk_header(struct pf_pdesc *pd, struct ip *h, u_short
*reason)
return (PF_PASS);
if (!pf_pull_hdr(pd->m, pd->off, &ext, sizeof(ext),
NULL, reason, AF_INET)) {
- DPFPRINTF(PF_DEBUG_MISC, ("IP short exthdr"));
+ DPFPRINTF(PF_DEBUG_MISC, "IP short exthdr");
return (PF_DROP);
}
pd->off += (ext.ah_len + 2) * 4;
@@ -9911,7 +9910,7 @@ pf_walk_header(struct pf_pdesc *pd, struct ip *h, u_short
*reason)
return (PF_PASS);
}
}
- DPFPRINTF(PF_DEBUG_MISC, ("IPv4 nested authentication header limit"));
+ DPFPRINTF(PF_DEBUG_MISC, "IPv4 nested authentication header limit");
REASON_SET(reason, PFRES_IPOPTIONS);
return (PF_DROP);
}
@@ -9927,7 +9926,7 @@ pf_walk_option6(struct pf_pdesc *pd, struct ip6_hdr *h,
int off, int end,
while (off < end) {
if (!pf_pull_hdr(pd->m, off, &opt.ip6o_type,
sizeof(opt.ip6o_type), NULL, reason, AF_INET6)) {
- DPFPRINTF(PF_DEBUG_MISC, ("IPv6 short opt type"));
+ DPFPRINTF(PF_DEBUG_MISC, "IPv6 short opt type");
return (PF_DROP);
}
if (opt.ip6o_type == IP6OPT_PAD1) {
@@ -9936,11 +9935,11 @@ pf_walk_option6(struct pf_pdesc *pd, struct ip6_hdr *h,
int off, int end,
}
if (!pf_pull_hdr(pd->m, off, &opt, sizeof(opt), NULL,
reason, AF_INET6)) {
- DPFPRINTF(PF_DEBUG_MISC, ("IPv6 short opt"));
+ DPFPRINTF(PF_DEBUG_MISC, "IPv6 short opt");
return (PF_DROP);
}
if (off + sizeof(opt) + opt.ip6o_len > end) {
- DPFPRINTF(PF_DEBUG_MISC, ("IPv6 long opt"));
+ DPFPRINTF(PF_DEBUG_MISC, "IPv6 long opt");
REASON_SET(reason, PFRES_IPOPTIONS);
return (PF_DROP);
}
@@ -9950,25 +9949,25 @@ pf_walk_option6(struct pf_pdesc *pd, struct ip6_hdr *h,
int off, int end,
case IP6OPT_JUMBO:
pd->badopts |= PF_OPT_JUMBO;
if (pd->jumbolen != 0) {
- DPFPRINTF(PF_DEBUG_MISC, ("IPv6 multiple
jumbo"));
+ DPFPRINTF(PF_DEBUG_MISC, "IPv6 multiple jumbo");
REASON_SET(reason, PFRES_IPOPTIONS);
return (PF_DROP);
}
if (ntohs(h->ip6_plen) != 0) {
- DPFPRINTF(PF_DEBUG_MISC, ("IPv6 bad jumbo
plen"));
+ DPFPRINTF(PF_DEBUG_MISC, "IPv6 bad jumbo plen");
REASON_SET(reason, PFRES_IPOPTIONS);
return (PF_DROP);
}
if (!pf_pull_hdr(pd->m, off, &jumbo, sizeof(jumbo),
NULL,
reason, AF_INET6)) {
- DPFPRINTF(PF_DEBUG_MISC, ("IPv6 short jumbo"));
+ DPFPRINTF(PF_DEBUG_MISC, "IPv6 short jumbo");
return (PF_DROP);
}
memcpy(&pd->jumbolen, jumbo.ip6oj_jumbo_len,
sizeof(pd->jumbolen));
pd->jumbolen = ntohl(pd->jumbolen);
if (pd->jumbolen < IPV6_MAXPACKET) {
- DPFPRINTF(PF_DEBUG_MISC, ("IPv6 short
jumbolen"));
+ DPFPRINTF(PF_DEBUG_MISC, "IPv6 short jumbolen");
REASON_SET(reason, PFRES_IPOPTIONS);
return (PF_DROP);
}
@@ -10009,7 +10008,7 @@ pf_walk_header6(struct pf_pdesc *pd, struct ip6_hdr *h,
u_short *reason)
case IPPROTO_HOPOPTS:
if (!pf_pull_hdr(pd->m, pd->off, &ext, sizeof(ext),
NULL, reason, AF_INET6)) {
- DPFPRINTF(PF_DEBUG_MISC, ("IPv6 short
exthdr\n"));
+ DPFPRINTF(PF_DEBUG_MISC, "IPv6 short exthdr");
return (PF_DROP);
}
if (pf_walk_option6(pd, h, pd->off + sizeof(ext),
@@ -10024,19 +10023,19 @@ pf_walk_header6(struct pf_pdesc *pd, struct ip6_hdr
*h, u_short *reason)
switch (pd->proto) {
case IPPROTO_FRAGMENT:
if (fraghdr_cnt++) {
- DPFPRINTF(PF_DEBUG_MISC, ("IPv6 multiple
fragment"));
+ DPFPRINTF(PF_DEBUG_MISC, "IPv6 multiple
fragment");
REASON_SET(reason, PFRES_FRAG);
return (PF_DROP);
}
/* jumbo payload packets cannot be fragmented */
if (pd->jumbolen != 0) {
- DPFPRINTF(PF_DEBUG_MISC, ("IPv6 fragmented
jumbo"));
+ DPFPRINTF(PF_DEBUG_MISC, "IPv6 fragmented
jumbo");
REASON_SET(reason, PFRES_FRAG);
return (PF_DROP);
}
if (!pf_pull_hdr(pd->m, pd->off, &frag, sizeof(frag),
NULL, reason, AF_INET6)) {
- DPFPRINTF(PF_DEBUG_MISC, ("IPv6 short
fragment"));
+ DPFPRINTF(PF_DEBUG_MISC, "IPv6 short fragment");
return (PF_DROP);
}
/* stop walking over non initial fragments */
@@ -10052,7 +10051,7 @@ pf_walk_header6(struct pf_pdesc *pd, struct ip6_hdr *h,
u_short *reason)
break;
case IPPROTO_ROUTING:
if (rthdr_cnt++) {
- DPFPRINTF(PF_DEBUG_MISC, ("IPv6 multiple
rthdr"));
+ DPFPRINTF(PF_DEBUG_MISC, "IPv6 multiple rthdr");
REASON_SET(reason, PFRES_IPOPTIONS);
return (PF_DROP);
}
@@ -10064,11 +10063,11 @@ pf_walk_header6(struct pf_pdesc *pd, struct ip6_hdr
*h, u_short *reason)
}
if (!pf_pull_hdr(pd->m, pd->off, &rthdr, sizeof(rthdr),
NULL, reason, AF_INET6)) {
- DPFPRINTF(PF_DEBUG_MISC, ("IPv6 short rthdr"));
+ DPFPRINTF(PF_DEBUG_MISC, "IPv6 short rthdr");
return (PF_DROP);
}
if (rthdr.ip6r_type == IPV6_RTHDR_TYPE_0) {
- DPFPRINTF(PF_DEBUG_MISC, ("IPv6 rthdr0"));
+ DPFPRINTF(PF_DEBUG_MISC, "IPv6 rthdr0");
REASON_SET(reason, PFRES_IPOPTIONS);
return (PF_DROP);
}
@@ -10076,7 +10075,7 @@ pf_walk_header6(struct pf_pdesc *pd, struct ip6_hdr *h,
u_short *reason)
case IPPROTO_HOPOPTS:
/* RFC2460 4.1: Hop-by-Hop only after IPv6 header */
if (pd->proto == IPPROTO_HOPOPTS && hdr_cnt > 0) {
- DPFPRINTF(PF_DEBUG_MISC, ("IPv6 hopopts not
first"));
+ DPFPRINTF(PF_DEBUG_MISC, "IPv6 hopopts not
first");
REASON_SET(reason, PFRES_IPOPTIONS);
return (PF_DROP);
}
@@ -10085,7 +10084,7 @@ pf_walk_header6(struct pf_pdesc *pd, struct ip6_hdr *h,
u_short *reason)
case IPPROTO_DSTOPTS:
if (!pf_pull_hdr(pd->m, pd->off, &ext, sizeof(ext),
NULL, reason, AF_INET6)) {
- DPFPRINTF(PF_DEBUG_MISC, ("IPv6 short exthdr"));
+ DPFPRINTF(PF_DEBUG_MISC, "IPv6 short exthdr");
return (PF_DROP);
}
/* fragments may be short */
@@ -10099,7 +10098,7 @@ pf_walk_header6(struct pf_pdesc *pd, struct ip6_hdr *h,
u_short *reason)
pd->extoff = pd->off;
if (pd->proto == IPPROTO_HOPOPTS && pd->fragoff == 0 &&
ntohs(h->ip6_plen) == 0 && pd->jumbolen != 0) {
- DPFPRINTF(PF_DEBUG_MISC, ("IPv6 missing
jumbo\n"));
+ DPFPRINTF(PF_DEBUG_MISC, "IPv6 missing jumbo");
REASON_SET(reason, PFRES_IPOPTIONS);
return (PF_DROP);
}
@@ -10119,7 +10118,7 @@ pf_walk_header6(struct pf_pdesc *pd, struct ip6_hdr *h,
u_short *reason)
if (!pf_pull_hdr(pd->m, pd->off, &icmp6, sizeof(icmp6),
NULL, reason, AF_INET6)) {
DPFPRINTF(PF_DEBUG_MISC,
- ("IPv6 short icmp6hdr\n"));
+ "IPv6 short icmp6hdr");
return (PF_DROP);
}
/* ICMP multicast packets have router alert options */
@@ -10137,7 +10136,7 @@ pf_walk_header6(struct pf_pdesc *pd, struct ip6_hdr *h,
u_short *reason)
*/
if ((h->ip6_hlim != 1) ||
!IN6_IS_ADDR_LINKLOCAL(&h->ip6_src)) {
- DPFPRINTF(PF_DEBUG_MISC, ("Invalid
MLD\n"));
+ DPFPRINTF(PF_DEBUG_MISC, "Invalid MLD");
REASON_SET(reason, PFRES_IPOPTIONS);
return (PF_DROP);
}
@@ -10162,7 +10161,7 @@ pf_walk_header6(struct pf_pdesc *pd, struct ip6_hdr *h,
u_short *reason)
return (PF_PASS);
}
}
- DPFPRINTF(PF_DEBUG_MISC, ("IPv6 nested extension header limit"));
+ DPFPRINTF(PF_DEBUG_MISC, "IPv6 nested extension header limit");
REASON_SET(reason, PFRES_IPOPTIONS);
return (PF_DROP);
}
@@ -10207,8 +10206,8 @@ pf_setup_pdesc(sa_family_t af, int dir, struct pf_pdesc
*pd, struct mbuf **m0,
if (__predict_false((*m0)->m_len < sizeof(struct ip)) &&
(pd->m = *m0 = m_pullup(*m0, sizeof(struct ip))) == NULL) {
DPFPRINTF(PF_DEBUG_URGENT,
- ("%s: m_len < sizeof(struct ip), pullup failed\n",
- __func__));
+ "%s: m_len < sizeof(struct ip), pullup failed",
+ __func__);
*action = PF_DROP;
REASON_SET(reason, PFRES_SHORT);
return (-1);
@@ -10258,8 +10257,8 @@ pf_setup_pdesc(sa_family_t af, int dir, struct pf_pdesc
*pd, struct mbuf **m0,
if (__predict_false((*m0)->m_len < sizeof(struct ip6_hdr)) &&
(pd->m = *m0 = m_pullup(*m0, sizeof(struct ip6_hdr))) ==
NULL) {
DPFPRINTF(PF_DEBUG_URGENT,
- ("%s: m_len < sizeof(struct ip6_hdr)"
- ", pullup failed\n", __func__));
+ "%s: m_len < sizeof(struct ip6_hdr)"
+ ", pullup failed", __func__);
*action = PF_DROP;
REASON_SET(reason, PFRES_SHORT);
return (-1);
@@ -10619,8 +10618,8 @@ pf_test(sa_family_t af, int dir, int pflags, struct
ifnet *ifp, struct mbuf **m0
if (__predict_false(kif == NULL)) {
DPFPRINTF(PF_DEBUG_URGENT,
- ("%s: kif == NULL, if_xname %s\n",
- __func__, ifp->if_xname));
+ "%s: kif == NULL, if_xname %s",
+ __func__, ifp->if_xname);
return (PF_DROP);
}
if (kif->pfik_flags & PFI_IFLAG_SKIP) {
@@ -10824,14 +10823,14 @@ pf_test(sa_family_t af, int dir, int pflags, struct
ifnet *ifp, struct mbuf **m0
action = PF_DROP;
REASON_SET(&reason, PFRES_NORM);
DPFPRINTF(PF_DEBUG_MISC,
- ("dropping IPv6 packet with ICMPv4 payload"));
+ "dropping IPv6 packet with ICMPv4 payload");
break;
}
if (pd.virtual_proto == IPPROTO_ICMPV6 && af != AF_INET6) {
action = PF_DROP;
REASON_SET(&reason, PFRES_NORM);
DPFPRINTF(PF_DEBUG_MISC,
- ("pf: dropping IPv4 packet with ICMPv6 payload\n"));
+ "pf: dropping IPv4 packet with ICMPv6 payload");
break;
}
action = pf_test_state_icmp(&s, &pd, &reason);
@@ -10862,7 +10861,7 @@ done:
REASON_SET(&reason, PFRES_IPOPTIONS);
pd.act.log = PF_LOG_FORCE;
DPFPRINTF(PF_DEBUG_MISC,
- ("pf: dropping packet with dangerous headers\n"));
+ "pf: dropping packet with dangerous headers");
}
if (pd.act.max_pkt_size && pd.act.max_pkt_size &&
@@ -10871,7 +10870,7 @@ done:
REASON_SET(&reason, PFRES_NORM);
pd.act.log = PF_LOG_FORCE;
DPFPRINTF(PF_DEBUG_MISC,
- ("pf: dropping overly long packet\n"));
+ "pf: dropping overly long packet");
}
if (s) {
@@ -10903,7 +10902,7 @@ done:
REASON_SET(&reason, PFRES_MEMORY);
pd.act.log = PF_LOG_FORCE;
DPFPRINTF(PF_DEBUG_MISC,
- ("pf: failed to allocate 802.1q mtag\n"));
+ "pf: failed to allocate 802.1q mtag");
}
}
@@ -10960,7 +10959,7 @@ done:
REASON_SET(&reason, PFRES_MEMORY);
pd.act.log = PF_LOG_FORCE;
DPFPRINTF(PF_DEBUG_MISC,
- ("pf: failed to allocate tag\n"));
+ "pf: failed to allocate tag");
} else {
pd.pf_mtag->flags |=
PF_MTAG_FLAG_FASTFWD_OURS_PRESENT;
@@ -10977,7 +10976,7 @@ done:
REASON_SET(&reason, PFRES_MEMORY);
pd.act.log = PF_LOG_FORCE;
DPFPRINTF(PF_DEBUG_MISC,
- ("pf: failed to allocate divert tag\n"));
+ "pf: failed to allocate divert tag");
}
}
/* XXX: Anybody working on it?! */
diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
index 5c69c395c5fc..ea9f7fe441c6 100644
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@@ -217,8 +217,6 @@ static u_int16_t tagname2tag(struct pf_tagset *, const
char *);
static u_int16_t pf_tagname2tag(const char *);
static void tag_unref(struct pf_tagset *, u_int16_t);
-#define DPFPRINTF(n, x) if (V_pf_status.debug >= (n)) printf x
-
struct cdev *pf_dev;
/*
@@ -2143,14 +2141,14 @@ pf_ioctl_addrule(struct pf_krule *rule, uint32_t ticket,
ERROUT(EINVAL);
if (ticket != ruleset->rules[rs_num].inactive.ticket) {
DPFPRINTF(PF_DEBUG_MISC,
- ("ticket: %d != [%d]%d\n", ticket, rs_num,
- ruleset->rules[rs_num].inactive.ticket));
+ "ticket: %d != [%d]%d", ticket, rs_num,
+ ruleset->rules[rs_num].inactive.ticket);
ERROUT(EBUSY);
}
if (pool_ticket != V_ticket_pabuf) {
DPFPRINTF(PF_DEBUG_MISC,
- ("pool_ticket: %d != %d\n", pool_ticket,
- V_ticket_pabuf));
+ "pool_ticket: %d != %d", pool_ticket,
+ V_ticket_pabuf);
ERROUT(EBUSY);
}
/*
@@ -2469,7 +2467,7 @@ pf_start(void)
V_pf_status.since = time_uptime;
new_unrhdr64(&V_pf_stateid, time_second);
- DPFPRINTF(PF_DEBUG_MISC, ("pf: started\n"));
+ DPFPRINTF(PF_DEBUG_MISC, "pf: started");
}
sx_xunlock(&V_pf_ioctl_lock);
@@ -2489,7 +2487,7 @@ pf_stop(void)
dehook_pf();
dehook_pf_eth();
V_pf_status.since = time_uptime;
- DPFPRINTF(PF_DEBUG_MISC, ("pf: stopped\n"));
+ DPFPRINTF(PF_DEBUG_MISC, "pf: stopped");
}
sx_xunlock(&V_pf_ioctl_lock);
@@ -3264,9 +3262,9 @@ DIOCGETETHRULE_error:
if (nvlist_get_number(nvl, "ticket") !=
ruleset->inactive.ticket) {
DPFPRINTF(PF_DEBUG_MISC,
- ("ticket: %d != %d\n",
+ "ticket: %d != %d",
(u_int32_t)nvlist_get_number(nvl, "ticket"),
- ruleset->inactive.ticket));
+ ruleset->inactive.ticket);
ERROUT(EBUSY);
}
@@ -4340,7 +4338,7 @@ DIOCGETSTATESV2_full:
if (error == 0)
V_pf_altq_running = 1;
PF_RULES_WUNLOCK();
- DPFPRINTF(PF_DEBUG_MISC, ("altq: started\n"));
+ DPFPRINTF(PF_DEBUG_MISC, "altq: started");
break;
}
@@ -4359,7 +4357,7 @@ DIOCGETSTATESV2_full:
if (error == 0)
V_pf_altq_running = 0;
PF_RULES_WUNLOCK();
- DPFPRINTF(PF_DEBUG_MISC, ("altq: stopped\n"));
+ DPFPRINTF(PF_DEBUG_MISC, "altq: stopped");
break;
}
@@ -6457,9 +6455,9 @@ shutdown_pf(void)
for (rs_num = 0; rs_num < PF_RULESET_MAX; ++rs_num) {
if ((error = pf_begin_rules(&t[rs_num], rs_num,
anchor->path)) != 0) {
- DPFPRINTF(PF_DEBUG_MISC, ("%s: "
- "anchor.path=%s rs_num=%d\n",
- __func__, anchor->path, rs_num));
+ DPFPRINTF(PF_DEBUG_MISC, "%s: "
+ "anchor.path=%s rs_num=%d",
+ __func__, anchor->path, rs_num);
goto error; /* XXX: rollback? */
}
}
@@ -6481,9 +6479,9 @@ shutdown_pf(void)
eth_anchor->refcnt = 1;
if ((error = pf_begin_eth(&t[0], eth_anchor->path))
!= 0) {
- DPFPRINTF(PF_DEBUG_MISC, ("%s: eth "
- "anchor.path=%s\n", __func__,
- eth_anchor->path));
+ DPFPRINTF(PF_DEBUG_MISC, "%s: eth "
+ "anchor.path=%s", __func__,
+ eth_anchor->path);
goto error;
}
error = pf_commit_eth(t[0], eth_anchor->path);
@@ -6492,27 +6490,27 @@ shutdown_pf(void)
if ((error = pf_begin_rules(&t[0], PF_RULESET_SCRUB, &nn))
!= 0) {
- DPFPRINTF(PF_DEBUG_MISC, ("%s: SCRUB\n", __func__));
+ DPFPRINTF(PF_DEBUG_MISC, "%s: SCRUB", __func__);
break;
}
if ((error = pf_begin_rules(&t[1], PF_RULESET_FILTER, &nn))
!= 0) {
- DPFPRINTF(PF_DEBUG_MISC, ("%s: FILTER\n", __func__));
+ DPFPRINTF(PF_DEBUG_MISC, "%s: FILTER", __func__);
break; /* XXX: rollback? */
}
if ((error = pf_begin_rules(&t[2], PF_RULESET_NAT, &nn))
!= 0) {
- DPFPRINTF(PF_DEBUG_MISC, ("%s: NAT\n", __func__));
+ DPFPRINTF(PF_DEBUG_MISC, "%s: NAT", __func__);
break; /* XXX: rollback? */
}
if ((error = pf_begin_rules(&t[3], PF_RULESET_BINAT, &nn))
!= 0) {
- DPFPRINTF(PF_DEBUG_MISC, ("%s: BINAT\n", __func__));
+ DPFPRINTF(PF_DEBUG_MISC, "%s: BINAT", __func__);
break; /* XXX: rollback? */
}
if ((error = pf_begin_rules(&t[4], PF_RULESET_RDR, &nn))
!= 0) {
- DPFPRINTF(PF_DEBUG_MISC, ("%s: RDR\n", __func__));
+ DPFPRINTF(PF_DEBUG_MISC, "%s: RDR", __func__);
break; /* XXX: rollback? */
}
@@ -6531,7 +6529,7 @@ shutdown_pf(void)
break;
if ((error = pf_begin_eth(&t[0], &nn)) != 0) {
- DPFPRINTF(PF_DEBUG_MISC, ("%s: eth\n", __func__));
+ DPFPRINTF(PF_DEBUG_MISC, "%s: eth", __func__);
break;
}
error = pf_commit_eth(t[0], &nn);
@@ -6539,7 +6537,7 @@ shutdown_pf(void)
#ifdef ALTQ
if ((error = pf_begin_altq(&t[0])) != 0) {
- DPFPRINTF(PF_DEBUG_MISC, ("%s: ALTQ\n", __func__));
+ DPFPRINTF(PF_DEBUG_MISC, "%s: ALTQ", __func__);
break;
}
pf_commit_altq(t[0]);
diff --git a/sys/netpfil/pf/pf_lb.c b/sys/netpfil/pf/pf_lb.c
index 9c7863bb301e..ea0d6facf695 100644
--- a/sys/netpfil/pf/pf_lb.c
+++ b/sys/netpfil/pf/pf_lb.c
@@ -71,8 +71,6 @@
#define V_pf_rdr_srcport_rewrite_tries
VNET(pf_rdr_srcport_rewrite_tries)
VNET_DEFINE_STATIC(int, pf_rdr_srcport_rewrite_tries) = 16;
-#define DPFPRINTF(n, x) if (V_pf_status.debug >= (n)) printf x
-
static uint64_t pf_hash(struct pf_addr *, struct pf_addr *,
struct pf_poolhashkey *, sa_family_t);
struct pf_krule *pf_match_translation(int, struct pf_test_ctx
*);
@@ -904,19 +902,19 @@ pf_get_transaddr(struct pf_test_ctx *ctx, struct pf_krule
*r,
if (pf_get_mape_sport(pd, r, naddr, nportp,
&ctx->udp_mapping, rpool)) {
DPFPRINTF(PF_DEBUG_MISC,
- ("pf: MAP-E port allocation (%u/%u/%u)"
- " failed\n",
+ "pf: MAP-E port allocation (%u/%u/%u)"
+ " failed",
rpool->mape.offset,
rpool->mape.psidlen,
- rpool->mape.psid));
+ rpool->mape.psid);
reason = PFRES_MAPFAILED;
goto notrans;
}
} else if (pf_get_sport(pd, r, naddr, nportp, low, high,
rpool, &ctx->udp_mapping, PF_SN_NAT)) {
DPFPRINTF(PF_DEBUG_MISC,
- ("pf: NAT proxy port allocation (%u-%u) failed\n",
- rpool->proxy_port[0], rpool->proxy_port[1]));
+ "pf: NAT proxy port allocation (%u-%u) failed",
+ rpool->proxy_port[0], rpool->proxy_port[1]);
reason = PFRES_MAPFAILED;
goto notrans;
}
@@ -1085,13 +1083,13 @@ pf_get_transaddr(struct pf_test_ctx *ctx, struct
pf_krule *r,
* the state may be reused if the TCP state is terminal.
*/
DPFPRINTF(PF_DEBUG_MISC,
- ("pf: RDR source port allocation failed\n"));
+ "pf: RDR source port allocation failed");
break;
out:
DPFPRINTF(PF_DEBUG_MISC,
- ("pf: RDR source port allocation %u->%u\n",
- ntohs(pd->nsport), ntohs(ctx->nk->port[0])));
+ "pf: RDR source port allocation %u->%u",
+ ntohs(pd->nsport), ntohs(ctx->nk->port[0]));
break;
}
default:
@@ -1140,8 +1138,8 @@ pf_get_transaddr_af(struct pf_krule *r, struct pf_pdesc
*pd)
if (pf_get_sport(pd, r, &nsaddr, &nport, r->nat.proxy_port[0],
r->nat.proxy_port[1], &r->nat, NULL, PF_SN_NAT)) {
DPFPRINTF(PF_DEBUG_MISC,
- ("pf: af-to NAT proxy port allocation (%u-%u) failed",
- r->nat.proxy_port[0], r->nat.proxy_port[1]));
+ "pf: af-to NAT proxy port allocation (%u-%u) failed",
+ r->nat.proxy_port[0], r->nat.proxy_port[1]);
return (-1);
}
diff --git a/sys/netpfil/pf/pf_norm.c b/sys/netpfil/pf/pf_norm.c
index 369292ca365e..8cea9557633c 100644
--- a/sys/netpfil/pf/pf_norm.c
+++ b/sys/netpfil/pf/pf_norm.c
@@ -160,13 +160,6 @@ static int pf_reassemble6(struct mbuf **,
struct ip6_frag *, uint16_t, uint16_t, u_short *);
#endif /* INET6 */
-#define DPFPRINTF(x) do { \
- if (V_pf_status.debug >= PF_DEBUG_MISC) { \
- printf("%s: ", __func__); \
- printf x ; \
- } \
-} while(0)
-
#ifdef INET
static void
pf_ip2key(struct ip *ip, struct pf_frnode *key)
@@ -262,7 +255,8 @@ pf_purge_fragments(uint32_t expire)
if (frag->fr_timeout > expire)
break;
- DPFPRINTF(("expiring %d(%p)\n", frag->fr_id, frag));
+ DPFPRINTF(PF_DEBUG_MISC, "expiring %d(%p)",
+ frag->fr_id, frag);
pf_free_fragment(frag);
}
@@ -281,7 +275,7 @@ pf_flush_fragments(void)
PF_FRAG_ASSERT();
goal = uma_zone_get_cur(V_pf_frent_z) * 9 / 10;
- DPFPRINTF(("trying to free %d frag entriess\n", goal));
+ DPFPRINTF(PF_DEBUG_MISC, "trying to free %d frag entriess", goal);
while (goal < uma_zone_get_cur(V_pf_frent_z)) {
frag = TAILQ_LAST(&V_pf_fragqueue, pf_fragqueue);
if (frag)
@@ -573,26 +567,30 @@ pf_fillup_fragment(struct pf_frnode *key, uint32_t id,
/* No empty fragments. */
if (frent->fe_len == 0) {
- DPFPRINTF(("bad fragment: len 0\n"));
+ DPFPRINTF(PF_DEBUG_MISC, "bad fragment: len 0");
goto bad_fragment;
}
/* All fragments are 8 byte aligned. */
if (frent->fe_mff && (frent->fe_len & 0x7)) {
- DPFPRINTF(("bad fragment: mff and len %d\n", frent->fe_len));
+ DPFPRINTF(PF_DEBUG_MISC, "bad fragment: mff and len %d",
+ frent->fe_len);
goto bad_fragment;
}
/* Respect maximum length, IP_MAXPACKET == IPV6_MAXPACKET. */
if (frent->fe_off + frent->fe_len > IP_MAXPACKET) {
- DPFPRINTF(("bad fragment: max packet %d\n",
- frent->fe_off + frent->fe_len));
+ DPFPRINTF(PF_DEBUG_MISC, "bad fragment: max packet %d",
+ frent->fe_off + frent->fe_len);
goto bad_fragment;
}
- DPFPRINTF((key->fn_af == AF_INET ?
- "reass frag %d @ %d-%d\n" : "reass frag %#08x @ %d-%d\n",
- id, frent->fe_off, frent->fe_off + frent->fe_len));
+ if (key->fn_af == AF_INET)
+ DPFPRINTF(PF_DEBUG_MISC, "reass frag %d @ %d-%d\n",
+ id, frent->fe_off, frent->fe_off + frent->fe_len);
+ else
+ DPFPRINTF(PF_DEBUG_MISC, "reass frag %#08x @ %d-%d",
+ id, frent->fe_off, frent->fe_off + frent->fe_len);
/* Fully buffer all of the fragments in this fragment queue. */
frag = pf_find_fragment(key, id);
@@ -690,10 +688,10 @@ pf_fillup_fragment(struct pf_frnode *key, uint32_t id,
precut = prev->fe_off + prev->fe_len - frent->fe_off;
if (precut >= frent->fe_len) {
- DPFPRINTF(("new frag overlapped\n"));
+ DPFPRINTF(PF_DEBUG_MISC, "new frag overlapped");
goto drop_fragment;
}
- DPFPRINTF(("frag head overlap %d\n", precut));
+ DPFPRINTF(PF_DEBUG_MISC, "frag head overlap %d", precut);
m_adj(frent->fe_m, precut);
frent->fe_off += precut;
frent->fe_len -= precut;
@@ -705,7 +703,8 @@ pf_fillup_fragment(struct pf_frnode *key, uint32_t id,
aftercut = frent->fe_off + frent->fe_len - after->fe_off;
if (aftercut < after->fe_len) {
- DPFPRINTF(("frag tail overlap %d", aftercut));
+ DPFPRINTF(PF_DEBUG_MISC, "frag tail overlap %d",
+ aftercut);
m_adj(after->fe_m, aftercut);
/* Fragment may switch queue as fe_off changes */
pf_frent_remove(frag, after);
@@ -713,7 +712,8 @@ pf_fillup_fragment(struct pf_frnode *key, uint32_t id,
after->fe_len -= aftercut;
/* Insert into correct queue */
if (pf_frent_insert(frag, after, prev)) {
- DPFPRINTF(("fragment requeue limit exceeded"));
+ DPFPRINTF(PF_DEBUG_MISC,
+ "fragment requeue limit exceeded");
m_freem(after->fe_m);
uma_zfree(V_pf_frent_z, after);
/* There is not way to recover */
@@ -723,7 +723,7 @@ pf_fillup_fragment(struct pf_frnode *key, uint32_t id,
}
/* This fragment is completely overlapped, lose it. */
- DPFPRINTF(("old frag overlapped\n"));
+ DPFPRINTF(PF_DEBUG_MISC, "old frag overlapped");
next = TAILQ_NEXT(after, fr_next);
pf_frent_remove(frag, after);
m_freem(after->fe_m);
@@ -732,7 +732,7 @@ pf_fillup_fragment(struct pf_frnode *key, uint32_t id,
/* If part of the queue gets too long, there is not way to recover. */
if (pf_frent_insert(frag, frent, prev)) {
- DPFPRINTF(("fragment queue limit exceeded\n"));
+ DPFPRINTF(PF_DEBUG_MISC, "fragment queue limit exceeded");
goto bad_fragment;
}
@@ -748,7 +748,7 @@ free_fragment:
* fragment, the entire datagram (and any constituent fragments) MUST
* be silently discarded.
*/
- DPFPRINTF(("flush overlapping fragments\n"));
+ DPFPRINTF(PF_DEBUG_MISC, "flush overlapping fragments");
pf_free_fragment(frag);
bad_fragment:
@@ -826,7 +826,8 @@ pf_reassemble(struct mbuf **m0, u_short *reason)
m = *m0 = NULL;
if (frag->fr_holes) {
- DPFPRINTF(("frag %d, holes %d\n", frag->fr_id, frag->fr_holes));
+ DPFPRINTF(PF_DEBUG_MISC, "frag %d, holes %d",
+ frag->fr_id, frag->fr_holes);
return (PF_PASS); /* drop because *m0 is NULL, no error */
}
@@ -872,14 +873,14 @@ pf_reassemble(struct mbuf **m0, u_short *reason)
ip->ip_off &= ~(IP_MF|IP_OFFMASK);
if (hdrlen + total > IP_MAXPACKET) {
- DPFPRINTF(("drop: too big: %d\n", total));
+ DPFPRINTF(PF_DEBUG_MISC, "drop: too big: %d", total);
ip->ip_len = 0;
REASON_SET(reason, PFRES_SHORT);
/* PF_DROP requires a valid mbuf *m0 in pf_test() */
return (PF_DROP);
}
- DPFPRINTF(("complete: %p(%d)\n", m, ntohs(ip->ip_len)));
+ DPFPRINTF(PF_DEBUG_MISC, "complete: %p(%d)", m, ntohs(ip->ip_len));
return (PF_PASS);
}
#endif /* INET */
@@ -931,8 +932,8 @@ pf_reassemble6(struct mbuf **m0, struct ip6_frag *fraghdr,
m = *m0 = NULL;
if (frag->fr_holes) {
- DPFPRINTF(("frag %d, holes %d\n", frag->fr_id,
- frag->fr_holes));
+ DPFPRINTF(PF_DEBUG_MISC, "frag %d, holes %d", frag->fr_id,
+ frag->fr_holes);
PF_FRAG_UNLOCK();
return (PF_PASS); /* Drop because *m0 is NULL, no error. */
}
@@ -993,14 +994,15 @@ pf_reassemble6(struct mbuf **m0, struct ip6_frag *fraghdr,
ip6->ip6_nxt = proto;
*** 309 LINES SKIPPED ***
