diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2014-04-27 15:04:07 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2014-05-02 18:31:13 +0200 |
commit | c179ee88d91a84fc75dc4602cca500e8fa72ed66 (patch) | |
tree | b6b149622e02c81265a673145d6b9a260776f799 /src/logging.c |
initial commit
This patch bootstrap the new nft-sync software. Basically, this
software aims to support two different setups:
1) Rule-set repository server. The software serves the nft rule-set to
clients that request the ruleset.
Basically from the system that acts as repository, you have to run:
# nft-sync -c ../contrib/nft-sync.conf.server
Then, from the client:
# nft-sync -c ../contrib/nft-sync.conf.client --fetch
Which displays the nft rule-set in the standard output, so you
can inspect the nft rule-set.
Alternatively, the client can also retrieve and apply the nft
rule-set using the pull command instead:
# nft-sync -c ../contrib/nft-sync.conf.client --pull
[ Note that this command above does not work in this bootstrap yet ]
2) Rule-set synchronization: In case of primary-backup and multiprimary
firewall configurations, the software makes sure that the firewall
cluster is deploying the same filtering policy. In this case, you have
to launch the process:
# nft-sync -c ../contrib/nft-sync.conf --sync
[ Note that this command above does not work in this bootstrap yet ]
This bootstrap provides the basic infrastructure as a proof-of-concept.
Many of the necessary features are still lacking:
* Implement --sync and --pull commands.
* Interaction with nft through libnftnl, which allows the software to
retrieve the local nft rule-set, as well as to parse it and apply it.
* SSL support, specifically the repository mode needs it to make sure
nobody can steal your filtering policy from the network.
* IPv6 support.
* Allow to serve different rule-sets in the repository mode.
And many others that will be added progressively.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/logging.c')
-rw-r--r-- | src/logging.c | 113 |
1 files changed, 113 insertions, 0 deletions
diff --git a/src/logging.c b/src/logging.c new file mode 100644 index 0000000..9907e5f --- /dev/null +++ b/src/logging.c @@ -0,0 +1,113 @@ +/* + * (C) 2014 by Pablo Neira Ayuso <pablo@netfilter.org> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + */ + +#include <stdio.h> +#include <stdarg.h> +#include <string.h> +#include <time.h> +#include <syslog.h> + +#include "config.h" +#include "logging.h" + +static struct { + const char *text; + const char *color; +} logging[NFTS_LOG_MAX] = { + [NFTS_LOG_DEBUG] = { + .text = "DEBUG", + .color = "\033[1;33m", + }, + [NFTS_LOG_INFO] = { + .text = "INFO", + .color = "\033[1;32m", + }, + [NFTS_LOG_NOTICE] = { + .text = "NOTICE", + .color = "\033[1;36m", + }, + [NFTS_LOG_ERROR] = { + .text = "ERROR", + .color = "\033[1;33m", + }, + [NFTS_LOG_FATAL] = { + .text = "FATAL", + .color = "\033[1;31m", + }, +}; + +int nft_sync_log_init(struct nft_sync_inst *inst) +{ + int ret = 0; + + switch (inst->log.type) { + case NFTS_LOG_T_SYSLOG: + break; + case NFTS_LOG_T_FILE: + if (inst->log.fd == NULL) + inst->log.fd = stdout; + else { + inst->log.fd = fopen(inst->log.filename, "w+"); + if (inst->log.fd == NULL) + return -1; + } + break; + } + + return ret; +} + +void nft_sync_log_fini(struct nft_sync_inst *inst) +{ + switch (inst->log.type) { + case NFTS_LOG_T_SYSLOG: + break; + case NFTS_LOG_T_FILE: + if (inst->log.fd != NULL) + fclose(inst->log.fd); + break; + } +} + +void nft_sync_log(struct nft_sync_inst *inst, int prio, + const char *format, ...) +{ + time_t t; + char *timebuf = NULL; + va_list args; + + switch (inst->log.type) { + case NFTS_LOG_T_FILE: + t = time(NULL); + timebuf = ctime(&t); + timebuf[strlen(timebuf) - 1]='\0'; + break; + case NFTS_LOG_T_SYSLOG: + break; + } + + switch (inst->log.type) { + case NFTS_LOG_T_FILE: + va_start(args, format); + fprintf(inst->log.fd, "%s[%s] [%s] ", + inst->log.color ? logging[prio].color : "", timebuf, + logging[prio].text); + vfprintf(inst->log.fd, format, args); + va_end(args); + fprintf(inst->log.fd, "%s\n", + inst->log.color ? "\033[1;0m" : ""); + fflush(inst->log.fd); + break; + case NFTS_LOG_T_SYSLOG: + va_start(args, format); + vsyslog(prio, format, args); + va_end(args); + break; + } +} |