Log Macro Name and Body

The name of a log macro consists of a name=macroname part, preceded by an optional sys=Screenname Screen-restriction part.

Unlike many objects in SunScreen, the macroname portion must be formulated as a simple identifier rather than a more complicated general string. (A simple identifier begins with an ASCII alphabetic character or an underscore, followed by zero or ASCII alphanumeric characters or underscores.)

The macrobody (value part) of a log macro consists of a filtering expression suitable for logdump. It its simplest form, this is a string that can be used directly as filtering arguments.

However, the log macro expansion feature parses the value string looking for logdump operators that introduce address and service names and, finding same, attempts to resolve them from the SunScreen registry. So, for addresses, it looks for the operators host, to, from, between, dst, src and tries to resolve their operands in the address registry. If they are found, the operator-operand sequence is rewritten with the registry value for that address.

Similarly, for services, it looks for the operators port, dstport, and srcport. If their operand resolves in the service registry, the operator-operand sequence is rewritten with the registry value.

In SunScreen, the registry services expanded in this manner can only consist of TCP or UDP services. Ranges of ports are allowed but groups are disallowed, as are services that use non-TCP non-UDP state engines.

Additionally, expansion looks for the operator macro and, if found, looks up the operand and replaces the operator-operand sequence with the named macro's body. Expansion cannot handle addresses or services from the registry that are not named with simple identifiers as well.