mirror of
https://github.com/opnsense/src.git
synced 2026-02-18 18:20:26 -05:00
pflog: pass the action to pflog directly
If a packet is malformed, it is dropped by pf(4). The rule referenced
in pflog(4) is the default rule. As the default rule is a pass
rule, tcpdump printed "pass" although the packet was actually
dropped. Use the actual action, rather than the rule's action, or an
attempt at guessing the correct action.
Inspired by OpenBSD's 'pflog(4) logs packet dropped by default rule with block.' commit.
Sponsored by: Rubicon Communications, LLC ("Netgate")
This commit is contained in:
Kristof Provost
Franco Fichtner
parent
da66e273ff
commit
2504a899e4
5 changed files with 21 additions and 21 deletions
|
|
@ -69,9 +69,9 @@ struct pf_ruleset;
|
|||
struct pfi_kif;
|
||||
struct pf_pdesc;
|
||||
|
||||
#define PFLOG_PACKET(i,a,b,c,d,e,f,g,di) do { \
|
||||
#define PFLOG_PACKET(i,a,b,t,c,d,e,f,g,di) do { \
|
||||
if (pflog_packet_ptr != NULL) \
|
||||
pflog_packet_ptr(i,a,b,c,d,e,f,g,di); \
|
||||
pflog_packet_ptr(i,a,b,t,c,d,e,f,g,di); \
|
||||
} while (0)
|
||||
#endif /* _KERNEL */
|
||||
#endif /* _NET_IF_PFLOG_H_ */
|
||||
|
|
|
|||
|
|
@ -1207,7 +1207,7 @@ void pf_state_export(struct pf_state_export *,
|
|||
struct pf_kruleset;
|
||||
struct pf_pdesc;
|
||||
typedef int pflog_packet_t(struct pfi_kkif *, struct mbuf *, sa_family_t,
|
||||
u_int8_t, struct pf_krule *, struct pf_krule *, struct pf_kruleset *,
|
||||
uint8_t, u_int8_t, struct pf_krule *, struct pf_krule *, struct pf_kruleset *,
|
||||
struct pf_pdesc *, int);
|
||||
extern pflog_packet_t *pflog_packet_ptr;
|
||||
|
||||
|
|
|
|||
|
|
@ -214,7 +214,7 @@ pflogioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
|
|||
|
||||
static int
|
||||
pflog_packet(struct pfi_kkif *kif, struct mbuf *m, sa_family_t af,
|
||||
u_int8_t reason, struct pf_krule *rm, struct pf_krule *am,
|
||||
uint8_t action, u_int8_t reason, struct pf_krule *rm, struct pf_krule *am,
|
||||
struct pf_kruleset *ruleset, struct pf_pdesc *pd, int lookupsafe)
|
||||
{
|
||||
struct ifnet *ifn;
|
||||
|
|
@ -230,7 +230,7 @@ pflog_packet(struct pfi_kkif *kif, struct mbuf *m, sa_family_t af,
|
|||
bzero(&hdr, sizeof(hdr));
|
||||
hdr.length = PFLOG_REAL_HDRLEN;
|
||||
hdr.af = af;
|
||||
hdr.action = rm->action;
|
||||
hdr.action = action;
|
||||
hdr.reason = reason;
|
||||
memcpy(hdr.ifname, kif->pfik_name, sizeof(hdr.ifname));
|
||||
|
||||
|
|
|
|||
|
|
@ -4793,7 +4793,7 @@ pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, struct pfi_kkif *kif,
|
|||
KASSERT(nk != NULL, ("%s: null nk", __func__));
|
||||
|
||||
if (nr->log) {
|
||||
PFLOG_PACKET(kif, m, af, PFRES_MATCH, nr, a,
|
||||
PFLOG_PACKET(kif, m, af, PF_PASS, PFRES_MATCH, nr, a,
|
||||
ruleset, pd, 1);
|
||||
}
|
||||
|
||||
|
|
@ -5023,7 +5023,7 @@ pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, struct pfi_kkif *kif,
|
|||
pf_rule_to_actions(r, &pd->act);
|
||||
if (r->log)
|
||||
PFLOG_PACKET(kif, m, af,
|
||||
PFRES_MATCH, r,
|
||||
r->action, PFRES_MATCH, r,
|
||||
a, ruleset, pd, 1);
|
||||
} else {
|
||||
match = 1;
|
||||
|
|
@ -5055,7 +5055,7 @@ pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, struct pfi_kkif *kif,
|
|||
if (r->log) {
|
||||
if (rewrite)
|
||||
m_copyback(m, off, hdrlen, pd->hdr.any);
|
||||
PFLOG_PACKET(kif, m, af, reason, r, a, ruleset, pd, 1);
|
||||
PFLOG_PACKET(kif, m, af, r->action, reason, r, a, ruleset, pd, 1);
|
||||
}
|
||||
|
||||
if ((r->action == PF_DROP) &&
|
||||
|
|
@ -5471,7 +5471,7 @@ pf_test_fragment(struct pf_krule **rm, struct pfi_kkif *kif,
|
|||
pf_rule_to_actions(r, &pd->act);
|
||||
if (r->log)
|
||||
PFLOG_PACKET(kif, m, af,
|
||||
PFRES_MATCH, r,
|
||||
r->action, PFRES_MATCH, r,
|
||||
a, ruleset, pd, 1);
|
||||
} else {
|
||||
match = 1;
|
||||
|
|
@ -5501,7 +5501,7 @@ pf_test_fragment(struct pf_krule **rm, struct pfi_kkif *kif,
|
|||
pf_rule_to_actions(r, &pd->act);
|
||||
|
||||
if (r->log)
|
||||
PFLOG_PACKET(kif, m, af, reason, r, a, ruleset, pd, 1);
|
||||
PFLOG_PACKET(kif, m, af, r->action, reason, r, a, ruleset, pd, 1);
|
||||
|
||||
if (r->action != PF_PASS)
|
||||
return (PF_DROP);
|
||||
|
|
@ -8872,13 +8872,13 @@ done:
|
|||
lr = r;
|
||||
|
||||
if (pd.act.log & PF_LOG_FORCE || lr->log & PF_LOG_ALL)
|
||||
PFLOG_PACKET(kif, m, AF_INET, reason, lr, a, ruleset,
|
||||
&pd, (s == NULL));
|
||||
PFLOG_PACKET(kif, m, AF_INET, action, reason, lr, a,
|
||||
ruleset, &pd, (s == NULL));
|
||||
if (s) {
|
||||
SLIST_FOREACH(ri, &s->match_rules, entry)
|
||||
if (ri->r->log & PF_LOG_ALL)
|
||||
PFLOG_PACKET(kif, m, AF_INET, reason,
|
||||
ri->r, a, ruleset, &pd, 0);
|
||||
PFLOG_PACKET(kif, m, AF_INET, action,
|
||||
reason, ri->r, a, ruleset, &pd, 0);
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -9444,12 +9444,12 @@ done:
|
|||
lr = r;
|
||||
|
||||
if (pd.act.log & PF_LOG_FORCE || lr->log & PF_LOG_ALL)
|
||||
PFLOG_PACKET(kif, m, AF_INET6, reason, lr, a, ruleset,
|
||||
PFLOG_PACKET(kif, m, AF_INET6, action, reason, lr, a, ruleset,
|
||||
&pd, (s == NULL));
|
||||
if (s) {
|
||||
SLIST_FOREACH(ri, &s->match_rules, entry)
|
||||
if (ri->r->log & PF_LOG_ALL)
|
||||
PFLOG_PACKET(kif, m, AF_INET6, reason,
|
||||
PFLOG_PACKET(kif, m, AF_INET6, action, reason,
|
||||
ri->r, a, ruleset, &pd, 0);
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1187,7 +1187,7 @@ pf_normalize_ip(struct mbuf **m0, struct pfi_kkif *kif, u_short *reason,
|
|||
REASON_SET(reason, PFRES_FRAG);
|
||||
drop:
|
||||
if (r != NULL && r->log)
|
||||
PFLOG_PACKET(kif, m, AF_INET, *reason, r, NULL, NULL, pd, 1);
|
||||
PFLOG_PACKET(kif, m, AF_INET, PF_DROP, *reason, r, NULL, NULL, pd, 1);
|
||||
|
||||
return (PF_DROP);
|
||||
}
|
||||
|
|
@ -1360,13 +1360,13 @@ again:
|
|||
shortpkt:
|
||||
REASON_SET(reason, PFRES_SHORT);
|
||||
if (r != NULL && r->log)
|
||||
PFLOG_PACKET(kif, m, AF_INET6, *reason, r, NULL, NULL, pd, 1);
|
||||
PFLOG_PACKET(kif, m, AF_INET6, PF_DROP, *reason, r, NULL, NULL, pd, 1);
|
||||
return (PF_DROP);
|
||||
|
||||
drop:
|
||||
REASON_SET(reason, PFRES_NORM);
|
||||
if (r != NULL && r->log)
|
||||
PFLOG_PACKET(kif, m, AF_INET6, *reason, r, NULL, NULL, pd, 1);
|
||||
PFLOG_PACKET(kif, m, AF_INET6, PF_DROP, *reason, r, NULL, NULL, pd, 1);
|
||||
return (PF_DROP);
|
||||
}
|
||||
#endif /* INET6 */
|
||||
|
|
@ -1491,7 +1491,7 @@ pf_normalize_tcp(struct pfi_kkif *kif, struct mbuf *m, int ipoff,
|
|||
tcp_drop:
|
||||
REASON_SET(&reason, PFRES_NORM);
|
||||
if (rm != NULL && r->log)
|
||||
PFLOG_PACKET(kif, m, AF_INET, reason, r, NULL, NULL, pd, 1);
|
||||
PFLOG_PACKET(kif, m, AF_INET, PF_DROP, reason, r, NULL, NULL, pd, 1);
|
||||
return (PF_DROP);
|
||||
}
|
||||
|
||||
|
|
@ -2261,7 +2261,7 @@ pf_normalize_sctp(int dir, struct pfi_kkif *kif, struct mbuf *m, int ipoff,
|
|||
sctp_drop:
|
||||
REASON_SET(&reason, PFRES_NORM);
|
||||
if (rm != NULL && r->log)
|
||||
PFLOG_PACKET(kif, m, AF_INET, reason, r, NULL, NULL, pd,
|
||||
PFLOG_PACKET(kif, m, AF_INET, PF_DROP, reason, r, NULL, NULL, pd,
|
||||
1);
|
||||
|
||||
return (PF_DROP);
|
||||
|
|
|
|||
Loading…
Reference in a new issue