OS-7667 IPFilter needs to keep and report state for cloud firewall lo…

…gging

Portions contributed by: Mike Gerdts <mike.gerdts@joyent.com>
Reviewed by: Mike Gerdts <mike.gerdts@joyent.com>
Reviewed by: Cody Peter Mello <cody.mello@joyent.com>
Reviewed by: Michael Zeller <mike.zeller@joyent.com>
Approved by: Michael Zeller <mike.zeller@joyent.com>

manifest

@@ -80,6 +80,7 @@ s dev/ip6=../devices/pseudo/ip6@0:ip6
 s dev/ip=../devices/pseudo/ip@0:ip
 s dev/ipauth=../devices/pseudo/ipf@0:ipauth
 s dev/ipf=../devices/pseudo/ipf@0:ipf
+s dev/ipfev=../devices/pseudo/ipf@0:ipfev
 s dev/ipl=../devices/pseudo/ipf@0:ipf
 s dev/iplookup=../devices/pseudo/ipf@0:iplookup
 s dev/ipmpstub=../devices/pseudo/dlpistub@0:ipmpstub

usr/src/cmd/devfsadm/misc_link.c

@@ -21,7 +21,7 @@
 /*
  * Copyright (c) 1998, 2010, Oracle and/or its affiliates. All rights reserved.
  * Copyright 2011 Nexenta Systems, Inc.  All rights reserved.
- * Copyright (c) 2015, Joyent, Inc. All rights reserved.
+ * Copyright 2019 Joyent, Inc.
  */
 
 #include <regex.h>
@@ -124,7 +124,7 @@ static devfsadm_create_t misc_cbt[] = {
 	},
 	{ "pseudo", "ddi_pseudo",
 	    "(^ipf$)|(^ipnat$)|(^ipstate$)|(^ipauth$)|"
-	    "(^ipsync$)|(^ipscan$)|(^iplookup$)",
+	    "(^ipsync$)|(^ipscan$)|(^iplookup$)|(^ipfev$)",
 	    TYPE_EXACT | DRV_RE, ILEVEL_0, minor_name,
 	},
 	{ "pseudo", "ddi_pseudo", "dld",

usr/src/cmd/ipf/lib/common/printfr.c

@@ -7,9 +7,10 @@
  *
  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
+ * Copyright 2019 Joyent, Inc.
  */
 
-#pragma ident	"%Z%%M%	%I%	%E% SMI"
+#include <uuid/uuid.h>
 
 #include "ipf.h"
 
@@ -386,7 +387,8 @@ ioctlfunc_t	iocfunc;
 		printf(" head %s", fp->fr_grhead);
 	if (*fp->fr_group != '\0')
 		printf(" group %s", fp->fr_group);
-	if (fp->fr_logtag != FR_NOLOGTAG || *fp->fr_nattag.ipt_tag) {
+	if (fp->fr_logtag != FR_NOLOGTAG || *fp->fr_nattag.ipt_tag ||
+	    (fp->fr_flags & FR_CFWLOG) || !uuid_is_null(fp->fr_uuid)) {
 		char *s = "";
 
 		printf(" set-tag(");
@@ -397,6 +399,18 @@ ioctlfunc_t	iocfunc;
 		if (*fp->fr_nattag.ipt_tag) {
 			printf("%snat=%-.*s", s, IPFTAG_LEN,
 				fp->fr_nattag.ipt_tag);
+			s = ", ";
+		}
+		if (fp->fr_flags & FR_CFWLOG) {
+			printf("cfwlog");
+			s = ", ";
+		}
+
+		if (!uuid_is_null(fp->fr_uuid)) {
+			char uuid[UUID_PRINTABLE_STRING_LENGTH];
+
+			uuid_unparse(fp->fr_uuid, uuid);
+			printf("%suuid=%s", s, uuid);
 		}
 		printf(")");
 	}

usr/src/cmd/ipf/tools/Makefile.tools

@@ -23,7 +23,7 @@
 # Use is subject to license terms.
 #
 # Copyright 2013 Nexenta Systems, Inc.  All rights reserved.
-# Copyright (c) 2012, Joyent Inc. All rights reserved.
+# Copyright 2019 Joyent, Inc.
 #
 
 PROG=		ipf ipfs ipmon ipnat ippool ipfstat
@@ -35,7 +35,7 @@ IPFSTAT_OBJS=	ipfstat.o ipfzone.o
 IPMON_OBJS=	ipmon.o ipfzone.o ipmon_y.o ipmon_l.o
 IPNAT_OBJS=	ipnat.o ipfzone.o ipnat_y.o ipnat_l.o
 IPPOOL_OBJS=	ippool.o ipfzone.o ippool_y.o ippool_l.o
-IPFTEST_OBJS=	ipftest.o ipfzone.o \
+IPFTEST_OBJS=	cfw.o ipftest.o ipfzone.o \
 		ip_fil.o ip_state.o ip_compat.o \
 		ip_frag.o ip_nat.o ip_nat6.o fil.o \
 		ip_htable.o ip_lookup.o \
@@ -56,7 +56,7 @@ SRCS=		$(OBJSL:%.o=../%.c)
 include ../../../Makefile.cmd
 include ../../Makefile.ipf
 
-LDLIBS		+= $(LIBBPF)
+LDLIBS		+= $(LIBBPF) -luuid
 LDFLAGS		+= $(MAPFILE.NGB:%=-M%)
 
 CPPFLAGS	+= -I. -DIPFILTER_LOOKUP -DIPFILTER_LOG

usr/src/cmd/ipf/tools/ipf_y.y

@@ -6,6 +6,7 @@
  *
  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
+ * Copyright 2019 Joyent, Inc.
  */
 
 #include "ipf.h"
@@ -16,6 +17,7 @@
 # define _NET_BPF_H_
 # include <pcap.h>
 #endif
+#include <uuid/uuid.h>
 #include "netinet/ip_pool.h"
 #include "netinet/ip_htable.h"
 #include "netinet/ipl.h"
@@ -98,6 +100,7 @@ static  int             set_ipv6_addr = 0;
 		union	i6addr	m;
 	} ipp;
 	union	i6addr	ip6;
+	uuid_t	uuid;
 };
 
 %type	<port>	portnum
@@ -117,6 +120,7 @@ static  int             set_ipv6_addr = 0;
 %token		YY_CMP_EQ YY_CMP_NE YY_CMP_LE YY_CMP_GE YY_CMP_LT YY_CMP_GT
 %token		YY_RANGE_OUT YY_RANGE_IN
 %token	<ip6>	YY_IPV6
+%token	<uuid>	YY_UUID
 
 %token	IPFY_PASS IPFY_BLOCK IPFY_COUNT IPFY_CALL
 %token	IPFY_RETICMP IPFY_RETRST IPFY_RETICMPASDST
@@ -127,6 +131,7 @@ static  int             set_ipv6_addr = 0;
 %token	IPFY_HEAD IPFY_GROUP
 %token	IPFY_AUTH IPFY_PREAUTH
 %token	IPFY_LOG IPFY_BODY IPFY_FIRST IPFY_LEVEL IPFY_ORBLOCK
+%token	IPFY_UUID IPFY_CFWLOG
 %token	IPFY_LOGTAG IPFY_MATCHTAG IPFY_SETTAG IPFY_SKIP
 %token	IPFY_FROM IPFY_ALL IPFY_ANY IPFY_BPFV4 IPFY_BPFV6 IPFY_POOL IPFY_HASH
 %token	IPFY_PPS
@@ -518,6 +523,8 @@ taginlist:
 taginspec:
 	logtag
 	|nattag
+	|uuidtag
+	|cfwtag
 	;
 
 nattag:	IPFY_NAT '=' YY_STR		{ DOALL(strncpy(fr->fr_nattag.ipt_tag,\
@@ -530,6 +537,12 @@ nattag:	IPFY_NAT '=' YY_STR		{ DOALL(strncpy(fr->fr_nattag.ipt_tag,\
 logtag:	IPFY_LOG '=' YY_NUMBER		{ DOALL(fr->fr_logtag = $3;) }
 	;
 
+cfwtag:	IPFY_CFWLOG			{ DOALL(fr->fr_flags |= FR_CFWLOG;) }
+	;
+
+uuidtag: IPFY_UUID '=' YY_UUID		{ DOALL(uuid_copy(fr->fr_uuid, $3);) }
+	;
+
 settagout:
 	| IPFY_SETTAG '(' tagoutlist ')'
 	;
@@ -542,6 +555,8 @@ tagoutlist:
 tagoutspec:
 	logtag
 	| nattag
+	| uuidtag
+	| cfwtag
 	;
 
 matchtagin:
@@ -1566,6 +1581,7 @@ static	struct	wordtab ipfwords[96] = {
 	{ "bpf-v6",			IPFY_BPFV6 },
 #endif
 	{ "call",			IPFY_CALL },
+	{ "cfwlog",			IPFY_CFWLOG },
 	{ "code",			IPFY_ICMPCODE },
 	{ "count",			IPFY_COUNT },
 	{ "dup-to",			IPFY_DUPTO },
@@ -1641,6 +1657,7 @@ static	struct	wordtab ipfwords[96] = {
 	{ "to",				IPFY_TO },
 	{ "ttl",			IPFY_TTL },
 	{ "udp",			IPFY_UDP },
+	{ "uuid",			IPFY_UUID },
 	{ "v6hdrs",			IPF6_V6HDRS },
 	{ "with",			IPFY_WITH },
 	{ NULL,				0 }

usr/src/cmd/ipf/tools/ipmon_y.y

@@ -1,11 +1,14 @@
 /*
  * Copyright (C) 1993-2005  by Darren Reed.
  * See the IPFILTER.LICENCE file for details on licencing.
+ *
+ * Copyright 2019 Joyent, Inc.
  */ 
 
 %{
 #include "ipf.h"
 #include <syslog.h>
+#include <uuid/uuid.h>
 #undef	OPT_NAT
 #undef	OPT_VERBOSE
 #include "ipmon_l.h"
@@ -42,11 +45,13 @@ static	ipmon_action_t	*alist = NULL;
 	struct in_addr	addr;
 	struct opt	*opt;
 	union	i6addr	ip6;
+	uuid_t	uuid;
 }
 
 %token	<num>	YY_NUMBER YY_HEX
 %token	<str>	YY_STR
 %token	<ip6>	YY_IPV6
+%token	<uuid>	YY_UUID
 %token	YY_COMMENT 
 %token	YY_CMP_EQ YY_CMP_NE YY_CMP_LE YY_CMP_GE YY_CMP_LT YY_CMP_GT
 %token	YY_RANGE_OUT YY_RANGE_IN

usr/src/cmd/ipf/tools/ipnat_y.y

@@ -6,6 +6,7 @@
  *
  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
+ * Copyright 2019 Joyent, Inc.
  */
 
 #pragma ident	"%Z%%M%	%I%	%E% SMI"
@@ -39,6 +40,7 @@
 #include <sys/time.h>
 #include <syslog.h>
 #include <net/if.h>
+#include <uuid/uuid.h>
 #if __FreeBSD_version >= 300000
 # include <net/if_var.h>
 #endif
@@ -89,6 +91,7 @@ static	void	setnatproto __P((int));
 		int	v;
 	} ipp;
 	union	i6addr	ip6;
+	uuid_t	uuid;
 };
 
 %token  <num>   YY_NUMBER YY_HEX
@@ -97,6 +100,7 @@ static	void	setnatproto __P((int));
 %token	  YY_CMP_EQ YY_CMP_NE YY_CMP_LE YY_CMP_GE YY_CMP_LT YY_CMP_GT
 %token	  YY_RANGE_OUT YY_RANGE_IN
 %token  <ip6>   YY_IPV6
+%token  <uuid>	YY_UUID
 
 %token	IPNY_MAPBLOCK IPNY_RDR IPNY_PORT IPNY_PORTS IPNY_AUTO IPNY_RANGE
 %token	IPNY_MAP IPNY_BIMAP IPNY_FROM IPNY_TO IPNY_MASK IPNY_PORTMAP IPNY_ANY

usr/src/cmd/ipf/tools/ippool_y.y

@@ -6,6 +6,7 @@
  *
  * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
+ * Copyright 2019 Joyent, Inc.
  */
 
 #pragma ident	"%Z%%M%	%I%	%E% SMI"
@@ -34,6 +35,7 @@
 #include <netdb.h>
 #include <ctype.h>
 #include <unistd.h>
+#include <uuid/uuid.h>
 
 #include "ipf.h"
 #include "netinet/ip_lookup.h"
@@ -66,6 +68,7 @@ static	int		set_ipv6_addr = 0;
 	iphtent_t	*ipe;
 	ip_pool_node_t	*ipp;
 	union	i6addr	ip6;
+	uuid_t	uuid;
 }
 
 %token  <num>   YY_NUMBER YY_HEX
@@ -74,6 +77,7 @@ static	int		set_ipv6_addr = 0;
 %token	  YY_CMP_EQ YY_CMP_NE YY_CMP_LE YY_CMP_GE YY_CMP_LT YY_CMP_GT
 %token	  YY_RANGE_OUT YY_RANGE_IN
 %token  <ip6>   YY_IPV6
+%token  <uuid>	YY_UUID
 
 %token	IPT_IPF IPT_NAT IPT_COUNT IPT_AUTH IPT_IN IPT_OUT
 %token	IPT_TABLE IPT_GROUPMAP IPT_HASH

usr/src/cmd/ipf/tools/lexer.c

@@ -5,6 +5,7 @@
  *
  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
+ * Copyright 2019 Joyent, Inc.
  */
 
 #include <ctype.h>
@@ -14,13 +15,15 @@
 #endif
 #include <sys/ioctl.h>
 #include <syslog.h>
+#include <uuid/uuid.h>
 #ifdef	TEST_LEXER
 # define	NO_YACC
 union	{
 	int		num;
 	char		*str;
 	struct in_addr	ipa;
 	i6addr_t	ip6;
+	uuid_t		uuid;
 } yylval;
 #endif
 #include "lexer.h"
@@ -455,6 +458,40 @@ int yylex()
 	}
 #endif
 
+	/*
+	 * UUID: e.g., "2426e38c-9f63-c0b8-cfd5-9aaeaf992d42" or its uppercase
+	 * variant.
+	 */
+	if (isbuilding == 0 && (ishex(c) || c == '-')) {
+		char uuidbuf[UUID_PRINTABLE_STRING_LENGTH], *s, oc;
+		int start;
+
+		start = yypos;
+		s = uuidbuf;
+		oc = c;
+
+		/*
+		 * Don't worry about exact position of hexdigits and hyphens
+		 * because uuid_parse() will provide the sanity check.
+		 */
+		do {
+			*s++ = c;
+			c = yygetc(1);
+		} while ((ishex(c) || c == '-') &&
+		    (s - uuidbuf < sizeof (uuidbuf)));
+		yyunputc(c);
+		*s = '\0';
+
+		if (uuid_parse(uuidbuf, yylval.uuid) == 0) {
+			rval = YY_UUID;
+			yyexpectaddr = 0;
+			goto done;
+		}
+		yypos = start;
+		c = oc;
+	}
+
+
 	if (c == ':') {
 		if (isbuilding == 1) {
 			yyunputc(c);

usr/src/cmd/ipf/tools/lexer.h

@@ -1,4 +1,6 @@
-
+/*
+ * Copyright 2019 Joyent, Inc.
+ */
 typedef	struct	wordtab	{
 	char	*w_word;
 	int	w_value;
@@ -16,6 +18,7 @@ typedef	struct	wordtab	{
 #define	YY_IPV6		1008
 #define	YY_STR		1009
 #define	YY_IPADDR	1010
+#define	YY_UUID		1011
 #endif
 
 #define	YYBUFSIZ	8192

usr/src/uts/common/Makefile.files

@@ -1804,8 +1804,8 @@ USB_IA_OBJS += usb_ia.o
 
 SCSA2USB_OBJS += scsa2usb.o usb_ms_bulkonly.o usb_ms_cbi.o
 
-IPF_OBJS += ip_fil_solaris.o fil.o solaris.o ip_state.o ip_frag.o ip_nat.o \
-	    ip_proxy.o ip_auth.o ip_pool.o ip_htable.o ip_lookup.o \
+IPF_OBJS += cfw.o ip_fil_solaris.o fil.o solaris.o ip_state.o ip_frag.o \
+	    ip_nat.o ip_proxy.o ip_auth.o ip_pool.o ip_htable.o ip_lookup.o \
 	    ip_log.o misc.o ip_compat.o ip_nat6.o drand48.o
 
 IPD_OBJS += ipd.o