From 1a2a481cafa626d0fd57903a3da3fa2aec3c7e46 Mon Sep 17 00:00:00 2001 From: Mark Johnston Date: Thu, 16 Jan 2025 15:44:40 +0000 Subject: [PATCH] pf: Force logging if pf_create_state() fails Currently packets are logged before pf_create_state() is called, so we might log a packet as passed that is subsequently dropped due to state creation failure. In particular, the drop is not logged, which is wrong. Improve the situation a bit: force logging if state creation fails. This isn't totally right as we'll end up logging the packet twice in this case, but it's better than not logging the drop at all. Add a regression test. Discussed with: kp, ks Co-authored-by: Franco Fichtner MFC after: 2 weeks Sponsored by: Klara, Inc. Sponsored by: OPNsense Differential Revision: https://reviews.freebsd.org/D47953 (cherry picked from commit 886396f1b1a727c642071965612e2c2c9dd11d6c) --- sys/netpfil/pf/pf.c | 1 + 1 file changed, 1 insertion(+) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 477e3ac74c0..23843f7c051 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -5043,6 +5043,7 @@ pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, struct pfi_kkif *kif, sport, dport, &rewrite, kif, sm, tag, bproto_sum, bip_sum, hdrlen, &match_rules); if (action != PF_PASS) { + pd->act.log |= PF_LOG_FORCE; if (action == PF_DROP && (r->rule_flag & PFRULE_RETURN)) pf_return(r, nr, pd, sk, off, m, th, kif,