pf.conf(5) buglet wrt logging

Fri, 09 Dec 2005 19:14:10 -0800 

hi,

diff below removes the `log' keyword from the nat, binat and rdr bnf
descriptions. ok, i can't quite read code as much to actually verify
the validity of this, but i simply couldn't get it to work (it doesn't
seem so hard to insert a `log' between a `nat' and a `pass' in an
otherwise working setup now does it?), didn't find any references
doing so anyplace, and seem to remember something about it being
removed (but it may have well been log-all...).

questions: if the diff below is not correct, what's the correct syntax
for logging in a nat(/binat/rdr) rule? "nat on pcn0 from
192.168.1.0/24 to any -> (pcn0)" works fine, "nat log on pcn..." gives
a syntax error).

if the diff below is correct, how can one log nats/rdrs/binats as they
happen?


thanks,


Index: pf.conf.5
===================================================================
RCS file: /cvs/src/share/man/man5/pf.conf.5,v
retrieving revision 1.339
diff -u -r1.339 pf.conf.5
--- pf.conf.5   17 Nov 2005 22:18:20 -0000      1.339
+++ pf.conf.5   10 Dec 2005 01:45:27 -0000
@@ -2639,21 +2639,18 @@
                  "queue" ( string | "(" string [ [ "," ] string ] ")" ) |
                  "probability" number"%"

-nat-rule       = [ "no" ] "nat" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
-                 [ "on" ifspec ] [ af ]
+nat-rule       = [ "no" ] "nat" [ "pass" ] [ "on" ifspec ] [ af ]
                  [ protospec ] hosts [ "tag" string ] [ "tagged" string ]
                  [ "->" ( redirhost | "{" redirhost-list "}" )
                  [ portspec ] [ pooltype ] [ "static-port" ] ]

-binat-rule     = [ "no" ] "binat" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
-                 [ "on" interface-name ] [ af ]
-                 [ "proto" ( proto-name | proto-number ) ]
+binat-rule     = [ "no" ] "binat" [ "pass" ] [ "on" interface-name ]
+                 [ af ] [ "proto" ( proto-name | proto-number ) ]
                  "from" address [ "/" mask-bits ] "to" ipspec
                  [ "tag" string ] [ "tagged" string ]
                  [ "->" address [ "/" mask-bits ] ]

-rdr-rule       = [ "no" ] "rdr" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
-                 [ "on" ifspec ] [ af ]
+rdr-rule       = [ "no" ] "rdr" [ "pass" ] [ "on" ifspec ] [ af ]
                  [ protospec ] hosts [ "tag" string ] [ "tagged" string ]
                  [ "->" ( redirhost | "{" redirhost-list "}" )
                  [ portspec ] [ pooltype ] ]


-- 
[-]

mkdir /nonexistent

Reply via email to