pf's log(matches), essentially rule match tracing, is a great
debugging method. You probably don't want that to end up in your
regular pf logs tho. So just use a different pflog interface for that.
Didn't work yet, because the target pflog interface was taken from the
rule that matches, not the log(matches) rule triggering the logging.
Index: net/if_pflog.c
===================================================================
RCS file: /cvs/src/sys/net/if_pflog.c,v
retrieving revision 1.67
diff -u -p -r1.67 if_pflog.c
--- net/if_pflog.c 19 Dec 2014 17:14:39 -0000 1.67
+++ net/if_pflog.c 8 Feb 2015 05:08:57 -0000
@@ -241,7 +241,7 @@ pflogioctl(struct ifnet *ifp, u_long cmd
int
pflog_packet(struct pf_pdesc *pd, u_int8_t reason, struct pf_rule *rm,
- struct pf_rule *am, struct pf_ruleset *ruleset)
+ struct pf_rule *am, struct pf_ruleset *ruleset, struct pf_rule *trigger)
{
#if NBPFILTER > 0
struct ifnet *ifn;
@@ -249,9 +249,11 @@ pflog_packet(struct pf_pdesc *pd, u_int8
if (rm == NULL || pd == NULL || pd->kif == NULL || pd->m == NULL)
return (-1);
+ if (trigger == NULL)
+ trigger = rm;
- if (rm->logif >= npflogifs || (ifn = pflogifs[rm->logif]) == NULL ||
- !ifn->if_bpf)
+ if (trigger->logif >= npflogifs || (ifn = pflogifs[trigger->logif]) ==
+ NULL || !ifn->if_bpf)
return (0);
bzero(&hdr, sizeof(hdr));
@@ -270,7 +272,7 @@ pflog_packet(struct pf_pdesc *pd, u_int8
strlcpy(hdr.ruleset, ruleset->anchor->name,
sizeof(hdr.ruleset));
}
- if (rm->log & PF_LOG_SOCKET_LOOKUP && !pd->lookup.done)
+ if (trigger->log & PF_LOG_SOCKET_LOOKUP && !pd->lookup.done)
pd->lookup.done = pf_socket_lookup(pd);
if (pd->lookup.done > 0) {
hdr.uid = pd->lookup.uid;
Index: net/if_pflog.h
===================================================================
RCS file: /cvs/src/sys/net/if_pflog.h,v
retrieving revision 1.25
diff -u -p -r1.25 if_pflog.h
--- net/if_pflog.h 9 Jul 2014 11:03:04 -0000 1.25
+++ net/if_pflog.h 8 Feb 2015 04:54:43 -0000
@@ -68,9 +68,9 @@ struct pflog_softc {
};
#if NPFLOG > 0
-#define PFLOG_PACKET(a,b,c,d,e) pflog_packet(a,b,c,d,e)
+#define PFLOG_PACKET(a,b,c,d,e,f) pflog_packet(a,b,c,d,e,f)
#else
-#define PFLOG_PACKET(a,b,c,d,e) ((void)0)
+#define PFLOG_PACKET(a,b,c,d,e,f) ((void)0)
#endif /* NPFLOG > 0 */
#endif /* _KERNEL */
#endif /* _NET_IF_PFLOG_H_ */
Index: net/pf.c
===================================================================
RCS file: /cvs/src/sys/net/pf.c,v
retrieving revision 1.901
diff -u -p -r1.901 pf.c
--- net/pf.c 7 Feb 2015 09:15:25 -0000 1.901
+++ net/pf.c 9 Feb 2015 07:01:39 -0000
@@ -232,6 +232,9 @@ int pf_step_out_of_anchor(int *, stru
void pf_counters_inc(int, struct pf_pdesc *,
struct pf_state *, struct pf_rule *,
struct pf_rule *);
+void pf_log_matches(struct pf_pdesc *, struct pf_rule *,
+ struct pf_rule *, struct pf_ruleset *,
+ struct pf_rule_slist *);
extern struct pool pfr_ktable_pl;
extern struct pool pfr_kentry_pl;
@@ -3249,9 +3252,10 @@ pf_test_rule(struct pf_pdesc *pd, struct
REASON_SET(&reason, PFRES_TRANSLATE);
goto cleanup;
}
- if (r->log || act.log & PF_LOG_MATCHES) {
+ if (r->log) {
REASON_SET(&reason, PFRES_MATCH);
- PFLOG_PACKET(pd, reason, r, a, ruleset);
+ PFLOG_PACKET(pd, reason, r, a, ruleset,
+ NULL);
}
} else {
match = asd;
@@ -3259,12 +3263,11 @@ pf_test_rule(struct pf_pdesc *pd, struct
*am = a;
*rsm = ruleset;
arsm = aruleset;
- if (act.log & PF_LOG_MATCHES) {
- REASON_SET(&reason, PFRES_MATCH);
- PFLOG_PACKET(pd, reason, r, a, ruleset);
- }
}
+ if (act.log & PF_LOG_MATCHES)
+ pf_log_matches(pd, r, a, ruleset, &rules);
+
if (r->quick)
break;
r = TAILQ_NEXT(r, entries);
@@ -3293,8 +3296,10 @@ pf_test_rule(struct pf_pdesc *pd, struct
}
REASON_SET(&reason, PFRES_MATCH);
- if (r->log || act.log & PF_LOG_MATCHES)
- PFLOG_PACKET(pd, reason, r, a, ruleset);
+ if (r->log)
+ PFLOG_PACKET(pd, reason, r, a, ruleset, NULL);
+ if (act.log & PF_LOG_MATCHES)
+ pf_log_matches(pd, r, a, ruleset, &rules);
if (pd->virtual_proto != PF_VPROTO_FRAGMENT &&
(r->action == PF_DROP) &&
@@ -6543,12 +6548,12 @@ done:
struct pf_rule_item *ri;
if (pd.pflog & PF_LOG_FORCE || r->log & PF_LOG_ALL)
- PFLOG_PACKET(&pd, reason, r, a, ruleset);
+ PFLOG_PACKET(&pd, reason, r, a, ruleset, NULL);
if (s) {
SLIST_FOREACH(ri, &s->match_rules, entry)
if (ri->r->log & PF_LOG_ALL)
PFLOG_PACKET(&pd, reason, ri->r, a,
- ruleset);
+ ruleset, NULL);
}
}
@@ -6677,4 +6682,19 @@ void
pf_pkt_addr_changed(struct mbuf *m)
{
m->m_pkthdr.pf.statekey = NULL;
+}
+
+void
+pf_log_matches(struct pf_pdesc *pd, struct pf_rule *rm, struct pf_rule *am,
+ struct pf_ruleset *ruleset, struct pf_rule_slist *matchrules)
+{
+ struct pf_rule_item *ri;
+
+ /* if this is the log(matches) rule, packet has been logged already */
+ if (rm->log & PF_LOG_MATCHES)
+ return;
+
+ SLIST_FOREACH(ri, matchrules, entry)
+ if (ri->r->log & PF_LOG_MATCHES)
+ PFLOG_PACKET(pd, PFRES_MATCH, rm, am, ruleset, ri->r);
}
Index: net/pfvar.h
===================================================================
RCS file: /cvs/src/sys/net/pfvar.h,v
retrieving revision 1.409
diff -u -p -r1.409 pfvar.h
--- net/pfvar.h 7 Feb 2015 06:27:46 -0000 1.409
+++ net/pfvar.h 8 Feb 2015 05:10:02 -0000
@@ -1814,7 +1814,7 @@ void pf_change_a(struct pf_pdesc *, void
int pf_check_proto_cksum(struct pf_pdesc *, int, int, u_int8_t,
sa_family_t);
int pflog_packet(struct pf_pdesc *, u_int8_t, struct pf_rule *,
- struct pf_rule *, struct pf_ruleset *);
+ struct pf_rule *, struct pf_ruleset *, struct pf_rule *);
void pf_send_deferred_syn(struct pf_state *);
int pf_match_addr(u_int8_t, struct pf_addr *, struct pf_addr *,
struct pf_addr *, sa_family_t);
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS. Virtual & Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/
