Index: packetbl.c
==================================================================
--- packetbl.c
+++ packetbl.c
@@ -1,7 +1,7 @@
 
-/* Copyright 2004 Russell Miller
+/* Copyright 2004-2011 Russell Miller
     This program is free software; you can redistribute it and/or modify
     it under the terms of the GNU General Public License as published by
     the Free Software Foundation; either version 2 of the License, or
     (at your option) any later version.
 
@@ -43,17 +43,11 @@
 
 	if (pid > 0) {
 		exit(EXIT_SUCCESS);
 	}
 	if (pid < 0) {
-		if (conf.debug == 0) {
-			syslog(LOG_ERR, "Fork failed while daemonizing: %s",
-				strerror(errno));
-		} else {
-			fprintf(stderr, "Fork failed while daemonizing: %s",
-				strerror(errno));
-		}
+		DPRINT("Fork failed while damonizing: %s", strerror(errno));
 		exit(EXIT_FAILURE);
 	}
 
 }
 
@@ -176,23 +170,22 @@
 
 #ifdef USE_CACHE
 	uint32_t ipaddr_check;
 	uint32_t cache_hash = 0;
 	time_t currtime;
-	char *actionstr;
+	char *actionstr = NULL, *buf = NULL;
 
 	currtime = time(NULL);
 
 	ipaddr_check = packet_info_to_ip(ip);
 	if (packet_cache_len > 0) {
 		cache_hash = packet_cache_hash(ip) % packet_cache_len;
 	}
-
+	buf = get_ip_string(&ip);
 	if (cache_hash>0 && cache_hash<packet_cache_len && packet_cache != NULL) {
 		if (packet_cache[cache_hash].ipaddr==ipaddr_check 
 				&& packet_cache[cache_hash].expires>currtime) {
-			get_ip_string(&ip);
 			retval = packet_cache[cache_hash].action;
 			switch (retval) {
 				case NF_DROP:
 					actionstr="reject";
 					statistics.cachereject++;
@@ -203,120 +196,45 @@
 					break;
 				default:
 					actionstr="???";
 					break;
 			}
-			if (!conf.quiet) {
-				if (conf.debug == 0) {
-					syslog(LOG_INFO, "[Found in cache (%s)] [%s]",
-						actionstr, msgbuf);
-				} else {
-					fprintf(stderr, "[Found in cache (%s)] [%s]",
-						actionstr, msgbuf);
-				}
-			}
+			DPRINTQ("[Found in cache (%s)] [%s]",
+					actionstr, buf);
+			free(buf);
 			return retval;
 		}
 	}
+#else
+	int rv;
+	char *buf;
+
+	buf = get_ip_string(&ip);
 #endif
 
-	/* the get_ip_string is set AFTER the check_packet_*
-	 * calls because of the possibility they could screw with
-	 * msgbuf.  They shouldn't, really, but better safe than
-	 * sorry, at least for now. */
-	if (check_packet_list(&ip, conf.whitelist) == 1) {
-		get_ip_string(&ip);
-		if (!conf.quiet) {
-			if (conf.debug == 0) {
-				syslog(LOG_INFO,
-					"[accept whitelist] [%s]",
-						msgbuf);
-			} else {
-				fprintf(stderr,
-					"[accept whitelist] [%s]",
-						msgbuf);
-			}
-		}
+	if (retval = check_packet_list(&ip, conf.whitelist) > 0) {
+		DPRINTQ("[accept whitelist] [%s] [%d]\n", buf, retval);
 		statistics.whitelisthits++;
 		retval=NF_ACCEPT;
-	} else
-	if (check_packet_list(&ip, conf.blacklist) == 1) {
-		get_ip_string(&ip);
-		if (!conf.quiet) {
-			if (conf.debug == 0) {
-				syslog(LOG_INFO,
-					"[reject blacklist] [%s]\n",
-						msgbuf);
-			} else {
-				fprintf(stderr,
-					"[reject blacklist] [%s]\n",
-						msgbuf);
-			}
-				
-		}
+	} else if (retval = check_packet_list(&ip, conf.blacklist) > 0) {
+		DPRINTQ("[reject blacklist] [%s] [%d]\n", buf, retval);
 		statistics.blacklisthits++;
 		retval=NF_DROP;
-	} else
-	if (check_packet_dnsbl(&ip, conf.whitelistbl) == 1) {
-		get_ip_string(&ip);
-		if (!conf.quiet) {
-			if (conf.debug == 0) {
-				syslog(LOG_INFO,
-					"[accept dnsbl] [%s]",
-						msgbuf);
-			} else {
-				fprintf(stderr,
-					"[accept dnsbl] [%s]",
-						msgbuf);
-			}
-		}
+	} else if (retval = check_packet_dnsbl(&ip, conf.whitelistbl) > 0) {
+		DPRINTQ("[accept dnsbl] [%s] [%d]", buf, retval);
 		statistics.whitelistblhits++;
 		retval=NF_ACCEPT;
-	} else
-	if (check_packet_dnsbl(&ip, conf.blacklistbl) == 1) {
-		get_ip_string(&ip);
-		if (!conf.quiet) {
-			if (conf.debug == 0) {
-				syslog(LOG_INFO,
-					"[reject dnsbl] [%s]",
-						msgbuf);
-			} else {
-				fprintf(stderr,
-					"[reject dnsbl] [%s]",
-						msgbuf);
-			}
-		}
+	} else if (retval = check_packet_dnsbl(&ip, conf.blacklistbl) > 0) {
+		DPRINTQ("[reject dnsbl] [%s] [%d]", buf, retval);
 		statistics.blacklistblhits++;
 		retval=NF_DROP;
 	} else {
-		get_ip_string(&ip);
 		if (conf.default_accept == 1) {
-			if (!conf.quiet) {
-				if (conf.debug == 0) {
-					syslog(LOG_INFO,
-						"[accept fallthrough] [%s]",
-							msgbuf);
-				} else {
-					fprintf(stderr,
-						"[accept fallthrough] [%s]",
-							msgbuf);
-				}
-			}
+			DPRINTQ("[accept fallthrough] [%s]", buf);
 			retval=NF_ACCEPT;
 		} else {
-			if (!conf.quiet) {
-				if (conf.debug == 0) {
-					syslog(LOG_INFO,
-						"[reject fallthrough] [%s]",
-							msgbuf);
-				} else {
-					fprintf(stderr,
-						"[reject fallthrough] [%s]",
-							msgbuf);
-				}
-
-			}
+			DPRINTQ("[reject fallthrough] [%s]", buf);
 			retval=NF_DROP;
 		}
 		statistics.fallthroughhits++;
 	}
 
@@ -327,10 +245,11 @@
 		packet_cache[cache_hash].action = retval;
 		packet_cache[cache_hash].expires = currtime + packet_cache_ttl;
 	}
 #endif
 
+	free(buf);
 	return retval;
 }
 
 static int pbl_callback(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,
         struct nfq_data *nfa, void *data) {
@@ -743,10 +662,11 @@
 			/* shouldn't happen... */
 			fprintf(stderr, "Failed to allocate memory for ce struct\n");
 			exit(EXIT_FAILURE);
 		}
 
+		ce->index = i;
 		ce->string = (char *)strdup(setting);
 		ce->next = NULL;
 #ifdef HAVE_FIREDNS
 		blacklistlen = strlen(ce->string);
 		if (ce->string[blacklistlen - 1] == '.') {
@@ -1072,12 +992,12 @@
  *   struct packet_info *ip       IP address data to check in supplied list. 
  *   struct config_entry *list    List that contains data to check in against,
  *                                whitelist for example.
  *
  * RETURN VALUE:
- *   0 is returned if the "ip" cannot be found in the given "list".  1 is
- *   returned on a successful match.
+ *   0 is returned if the "ip" cannot be found in the given "list". The index
+ *   of the matched list is returned on a successful match.
  *
  * NOTES:
  *   "check_packet_list"  searches the given list parameter (which is a list
  *   CIDRs) to determine if the data passed in "ip" matches (whitelist, for
  *   for example).
@@ -1107,19 +1027,11 @@
 
 		p = ip_proc;
 		p &= wltmp->cidr.processed;
 
 		if (p == wltmp->cidr.ip) {
-			rv = snprintf(msgbuf, sizeof(msgbuf), 
-					"%hhu.%hhu.%hhu.%hhu %x/%d",
-					ip->b1, ip->b2, ip->b3, ip->b4,
-					wltmp->cidr.ip, wltmp->cidr.network);
-			if (rv < 0) {
-				syslog(LOG_ERR, "snprintf failed at line %d: %s",
-					__LINE__, strerror(errno));
-				exit (1);
-			}
+			return wltmp->index;
 			return 1;
 		}
 
 		if (wltmp->next == NULL) {
 			break;
@@ -1130,11 +1042,11 @@
 	return 0;
 }
 
 /*
  * SYNOPSIS:
- *   static void get_ip_string(
+ *   char * get_ip_string(
  *                             const struct packet_info *ip
  *                            );
  *
  * ARGUMENTS:
  *   struct packet_info *ip       Structure containing IP parts to construct
@@ -1142,38 +1054,46 @@
  *
  * RETURN VALUE:
  *   (none)
  *
  * NOTES:
- *   This function takes the data in the parameter "ip" and stores an ASCII
- *   representation in the global variable "msgbuf."
+ *   This function takes the data in the parameter "ip" and returns a buffer
+ *   containing a string representation.  This buffer must be freed.
  *   It must be able to cope with "ip" being NULL.
  *
  */
-static void get_ip_string(const struct packet_info *ip) {
+char *get_ip_string(const struct packet_info *ip) {
 
 	int rv;
-	
+	char *buf = NULL;
+
+	buf = malloc(BUFFERSIZE); 
+	if (buf == NULL) {
+		syslog(LOG_ERR, "could not malloc buf in get_ip_string: %s\n",
+			strerror(errno));
+		exit(EXIT_FAILURE);
+	}
+
 	if (ip == NULL) {
-		rv = sprintf(msgbuf, "-");
+		rv = sprintf(buf, "-");
 		if (rv < 0) {	
 			syslog(LOG_ERR, "sprintf failed in line %d: %s",
 				__LINE__, strerror(errno));
-			exit(1);
+			exit(EXIT_FAILURE);
 		}
-		return;
+		return buf;
 	}
 
-	rv = snprintf(msgbuf, sizeof(msgbuf), "%hhu.%hhu.%hhu.%hhu:%hu.%hu", 
+	rv = snprintf(buf, BUFFERSIZE, "%hhu.%hhu.%hhu.%hhu:%hu.%hu", 
 			ip->b1, ip->b2, ip->b3, ip->b4,
 			ip->s_port,ip->d_port);
 		if (rv < 0) {
 			syslog(LOG_ERR, "snprintf failed in line %d: %s",
 				__LINE__, strerror(errno));
 			exit(1);
 		}
-	return;
+	return buf;
 }
 
 #ifdef USE_SOCKSTAT
 /*
  * SYNOPSIS:

Index: packetbl.h
==================================================================
--- packetbl.h
+++ packetbl.h
@@ -69,10 +69,17 @@
 # define PBL_ID_T u_int32_t
 # define PBL_ERRSTR ""
 
 #define DEBUG(x, y) if (conf.debug >= x) { printf(y "\n"); }
 #define INVALID_OCTET(x) x < 0 || x > 255
+#define DPRINT(format, args...) if (conf.debug == 0) { \
+	syslog(LOG_INFO, format , ## args); \
+} else { \
+	fprintf(stderr, format , ## args); \
+}
+
+#define DPRINTQ(format, args...) if (!conf.quiet) { DPRINT(format, ## args) };
 
 struct packet_info {
 
 	uint8_t b1;
 	uint8_t b2;
@@ -97,15 +104,14 @@
 
 	char *string;
 	struct config_entry *next;
 	struct packet_info ip;
 	struct cidr	cidr;
+	int index;
 
 };
 
-char msgbuf[BUFFERSIZE];
-
 struct config {
 	int	allow_non25;
 	int	allow_nonsyn;
 	int	default_accept;
 	int	dryrun;
@@ -139,11 +145,11 @@
 	time_t	expires;
 	int	action;
 };
 struct packet_cache_t *packet_cache = NULL;
 uint32_t packet_cache_len = USE_CACHE_DEF_LEN;
-uint16_t packet_cache_ttl = USE_CACHE_DEF_TTL;
+uint32_t packet_cache_ttl = USE_CACHE_DEF_TTL;
 #endif
 
 struct config_entry *hostlistcache = NULL;
 
 int get_packet_info(char *payload, struct packet_info *ip);
@@ -153,11 +159,11 @@
 int parse_cidr(struct config_entry *ce);
 /* int validate_blacklist(char *); */
 void parse_config(void);
 void parse_arguments(int argc, char **argv);
 void pbl_init_sockstat(void);
-static void get_ip_string(const struct packet_info *ip);
+char * get_ip_string(const struct packet_info *ip);
 static void pbl_set_verdict(struct PBL_HANDLE *h, PBL_ID_T id,
         unsigned int verdict);
 
 static int pbl_callback(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,
 	struct nfq_data *nfa, void *data);