ntp+cmdmon: log allow/deny commands

Log added NTP and command access restrictions, using INFO severity if
from a chronyc command, DEBUG otherwise (i.e. from the config).

diff --git a/cmdmon.c b/cmdmon.c
index 89ce191cfac60b5b8fd15be0ca5e9bbdb4a9f5f6..2eb238450b6a7d47738db348adbcd81a88a1ea9c 100644 (file)
--- a/cmdmon.c
+++ b/cmdmon.c
@@ -1799,6 +1799,9 @@ CAM_AddAccessRestriction(IPAddr *ip_addr, int subnet_bits, int allow, int all)
   if (status == ADF_BADSUBNET) {
     return 0;
   } else if (status == ADF_SUCCESS) {
+    LOG(LOG_GetContextSeverity(LOGC_Command), "%s%s %s access from %s",
+        allow ? "Allowed" : "Denied", all ? " all" : "", "command",
+        UTI_IPSubnetToString(ip_addr, subnet_bits));
     return 1;
   } else {
     return 0;

diff --git a/ntp_core.c b/ntp_core.c
index 63c5a3a2cca267460833fbbddf15ac6ddd8f9d1b..1d39dedd472025bee75feeb5d498adbdc4f2bc06 100644 (file)
--- a/ntp_core.c
+++ b/ntp_core.c
@@ -2856,6 +2856,10 @@ NCR_AddAccessRestriction(IPAddr *ip_addr, int subnet_bits, int allow, int all)
   if (status != ADF_SUCCESS)
     return 0;
 
+  LOG(LOG_GetContextSeverity(LOGC_Command), "%s%s %s access from %s",
+      allow ? "Allowed" : "Denied", all ? " all" : "", "NTP",
+      UTI_IPSubnetToString(ip_addr, subnet_bits));
+
   /* Keep server sockets open only when an address allowed */
   if (allow) {
     NTP_Remote_Address remote_addr;