Hi, while testing some bits of logging with pf, i came on this doc inconsistency:
pf.conf(5) says: The keyword user logs the UID and PID of the socket on the local host used to send or receive a packet, in addition to the normal information. while the faq (https://www.openbsd.org/faq/pf/logging.html) says: user Causes the user id and group id that owns the socket that the packet is sourced from/destined to (whichever socket is local) to be logged along with the standard log information. Afaict, after digging a bit to figure out how to see the logged info (you need tcpdump -v), i figured out it was the process id owning the socket that was logged, so i think the faq is wrong. 18:25:21.580108 rule 1/(match) [uid 0, pid 33213] pass out on em0: [uid 1000, pid 23403] interestingly i couldnt figure out what the info '[uid 0, pid 33213]' was referring to since on the local system there's no such pid (in that case the logging was triggered by ssh'ing outside, pid 23403 being the local pid for the ssh process) - its the same info for all logged pkts whatever the process triggering the connection, but that doesnt seem to be a tcpdump subprocess id... Landry Index: logging.html =================================================================== RCS file: /cvs/www/faq/pf/logging.html,v retrieving revision 1.69 diff -u -r1.69 logging.html --- logging.html 10 Oct 2017 19:17:08 -0000 1.69 +++ logging.html 29 Nov 2017 17:27:55 -0000 @@ -99,7 +99,7 @@ The default log interface <tt>pflog0</tt> is created automatically. <dt><tt>user</tt> -<dd>Causes the user id and group id that owns the socket that the packet is +<dd>Causes the user id and process id that owns the socket that the packet is sourced from/destined to (whichever socket is local) to be logged along with the standard log information. </dl>
