upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-06-10 17:22:46 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

pflog: improve uid logging

Browse source 
Sometimes a user ID was logged in pflog(4) although the logopt of
the rule did not specify it.  Check the option again for the log
rule in case another rule has triggered a socket lookup.  Remove
logopt group, it is not documented and cannot work as struct pfloghdr
does not contain a gid.  Rename PF_LOG_SOCKET_LOOKUP to PF_LOG_USER
to express what it does.  The lookup involved is only an implemntation
detail.
OK kn@ sashan@ mvs@

Obtained from:	OpenBSD, bluhm <bluhm@openbsd.org>, f6d3bf21b2
Sponsored by:	Rubicon Communications, LLC ("Netgate")
This commit is contained in:
Kristof Provost 2025-07-08 17:04:12 +02:00
parent 7b0b4fca08
commit 7250fc4eb5
4 changed files with 5 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
sbin/pfctl/parse.y
View file

@ -3232,8 +3232,7 @@ logopts : logopt { $$ = $1; }
logopt : ALL { $$.log = PF_LOG_ALL; $$.logif = 0; }
| MATCHES { $$.log = PF_LOG_MATCHES; $$.logif = 0; }
| USER { $$.log = PF_LOG_SOCKET_LOOKUP; $$.logif = 0; }
| GROUP { $$.log = PF_LOG_SOCKET_LOOKUP; $$.logif = 0; }
| USER { $$.log = PF_LOG_USER; $$.logif = 0; }
| TO string {
const char *errstr;
u_int i;

2
sbin/pfctl/pfctl_parser.c
View file

@ -928,7 +928,7 @@ print_rule(struct pfctl_rule *r, const char *anchor_call, int verbose, int numer
printf("%sall", count++ ? ", " : "");
if (r->log & PF_LOG_MATCHES)
printf("%smatches", count++ ? ", " : "");
if (r->log & PF_LOG_SOCKET_LOOKUP)
if (r->log & PF_LOG_USER)
printf("%suser", count++ ? ", " : "");
if (r->logif)
printf("%sto pflog%u", count++ ? ", " : "",

4
sys/netpfil/pf/if_pflog.c
View file

@ -284,9 +284,9 @@ pflog_packet(uint8_t action, u_int8_t reason,
* state lock, since this leads to unsafe LOR.
* These conditions are very very rare, however.
*/
if (trigger->log & PF_LOG_SOCKET_LOOKUP && !pd->lookup.done && lookupsafe)
if (trigger->log & PF_LOG_USER && !pd->lookup.done && lookupsafe)
pd->lookup.done = pf_socket_lookup(pd);
if (pd->lookup.done > 0)
if (trigger->log & PF_LOG_USER && pd->lookup.done > 0)
hdr.uid = pd->lookup.uid;
else
hdr.uid = -1;

2
sys/netpfil/pf/pf.h
View file

@ -140,7 +140,7 @@ enum { PF_ADDR_ADDRMASK, PF_ADDR_NOROUTE, PF_ADDR_DYNIFTL,
#define PF_LOG 0x01
#define PF_LOG_ALL 0x02
#define PF_LOG_SOCKET_LOOKUP 0x04
#define PF_LOG_USER 0x04
#define PF_LOG_FORCE 0x08
#define PF_LOG_MATCHES 0x10