OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: pflog overhaul

From: Henning Brauer (lists-openbsdtechbsws.de)
Date: Tue Sep 21 2010 - 00:32:32 CDT


and now that this is in, here's the almost trivial dif to move the
logging inline, as in, when hitting a match log rule, we log
immediately and with the adresses/ports as pf sees them at that very
same moment.

i think this is quite awesome :)

match in log on re0 inet proto tcp to port 2222
match in log on re0 inet proto tcp to port 2222 rdr-to 127.0.0.5 port 2222
match in log on re0 inet proto tcp to port 2222 rdr-to 127.0.0.4 port 2222
match in log on re0 inet proto tcp to port 2222 rdr-to 127.0.0.3 port 2222
match in log on re0 inet proto tcp to port 2222 rdr-to 127.0.0.2 port 2222
pass in log on re0 inet proto tcp to port 2222 rdr-to 127.0.0.1 port 22

23:25:57.879976 rule 0/(match) [uid 0, pid 19675] match in on re0:
  192.168.254.52.30526 > 192.168.254.84.2222: ...
23:25:57.880364 rule 1/(match) [uid 0, pid 19675] match in on re0:
  192.168.254.52.30526 > 127.0.0.5.2222: ...
23:25:57.880497 rule 2/(match) [uid 0, pid 19675] match in on re0:
  192.168.254.52.30526 > 127.0.0.4.2222: ...
23:25:57.880575 rule 3/(match) [uid 0, pid 19675] match in on re0:
  192.168.254.52.30526 > 127.0.0.3.2222: ...
23:25:57.880652 rule 4/(match) [uid 0, pid 19675] match in on re0:
  192.168.254.52.30526 > 127.0.0.2.2222: ...
23:25:57.880741 rule 5/(match) [uid 0, pid 19675] pass in on re0:
  192.168.254.52.30526 > 127.0.0.1.22: ...

Index: pf.c
===================================================================
RCS file: /cvs/src/sys/net/pf.c,v
retrieving revision 1.699
diff -u -p -r1.699 pf.c
--- pf.c 21 Sep 2010 04:09:33 -0000 1.699
+++ pf.c 21 Sep 2010 05:31:37 -0000
-2945,6 +2945,10 pf_test_rule(struct pf_rule **rm, struct
                                                     PFRES_MEMORY);
                                                 goto cleanup;
                                         }
+ if (r->log)
+ PFLOG_PACKET(kif, h, m, af,
+ direction, reason, r,
+ a, ruleset, pd);
                                 } else {
                                         match = 1;
                                         *rm = r;
-2978,17 +2982,9 pf_test_rule(struct pf_rule **rm, struct
 
         REASON_SET(&reason, PFRES_MATCH);
 
- if (act.log) {
- struct pf_rule_item *mr;
-
- if (r->log)
- PFLOG_PACKET(kif, h, m, af, direction, reason,
- r, a, ruleset, pd);
- SLIST_FOREACH(mr, &rules, entry)
- if (mr->r->log)
- PFLOG_PACKET(kif, h, m, af, direction, reason,
- mr->r, a, ruleset, pd);
- }
+ if (r->log)
+ PFLOG_PACKET(kif, h, m, af, direction, reason,
+ r, a, ruleset, pd);
 
         if ((r->action == PF_DROP) &&
             ((r->rule_flag & PFRULE_RETURNRST) ||