Re: pflog overhaul

Henning Brauer Mon, 20 Sep 2010 22:38:45 -0700

and now that this is in, here's the almost trivial dif to move the
logging inline, as in, when hitting a match log rule, we log
immediately and with the adresses/ports as pf sees them at that very
same moment.



i think this is quite awesome :)

match in log on re0 inet proto tcp to port 2222
match in log on re0 inet proto tcp to port 2222 rdr-to 127.0.0.5 port 2222
match in log on re0 inet proto tcp to port 2222 rdr-to 127.0.0.4 port 2222
match in log on re0 inet proto tcp to port 2222 rdr-to 127.0.0.3 port 2222
match in log on re0 inet proto tcp to port 2222 rdr-to 127.0.0.2 port 2222
pass in log on re0 inet proto tcp to port 2222 rdr-to 127.0.0.1 port 22

23:25:57.879976 rule 0/(match) [uid 0, pid 19675] match in on re0:
  192.168.254.52.30526 > 192.168.254.84.2222: ...
23:25:57.880364 rule 1/(match) [uid 0, pid 19675] match in on re0:
  192.168.254.52.30526 > 127.0.0.5.2222: ...
23:25:57.880497 rule 2/(match) [uid 0, pid 19675] match in on re0: 
  192.168.254.52.30526 > 127.0.0.4.2222: ...
23:25:57.880575 rule 3/(match) [uid 0, pid 19675] match in on re0:
  192.168.254.52.30526 > 127.0.0.3.2222: ...
23:25:57.880652 rule 4/(match) [uid 0, pid 19675] match in on re0:
  192.168.254.52.30526 > 127.0.0.2.2222: ...
23:25:57.880741 rule 5/(match) [uid 0, pid 19675] pass in on re0: 
  192.168.254.52.30526 > 127.0.0.1.22: ...

Index: pf.c
===================================================================
RCS file: /cvs/src/sys/net/pf.c,v
retrieving revision 1.699
diff -u -p -r1.699 pf.c
--- pf.c        21 Sep 2010 04:09:33 -0000      1.699
+++ pf.c        21 Sep 2010 05:31:37 -0000
@@ -2945,6 +2945,10 @@ pf_test_rule(struct pf_rule **rm, struct
                                                    PFRES_MEMORY);
                                                goto cleanup;
                                        }
+                                       if (r->log)
+                                               PFLOG_PACKET(kif, h, m, af,
+                                                   direction, reason, r,
+                                                   a, ruleset, pd);
                                } else {
                                        match = 1;
                                        *rm = r;
@@ -2978,17 +2982,9 @@ pf_test_rule(struct pf_rule **rm, struct
 
        REASON_SET(&reason, PFRES_MATCH);
 
-       if (act.log) {
-               struct pf_rule_item *mr;
-
-               if (r->log)
-                       PFLOG_PACKET(kif, h, m, af, direction, reason,
-                           r, a, ruleset, pd);
-               SLIST_FOREACH(mr, &rules, entry)
-                       if (mr->r->log)
-                               PFLOG_PACKET(kif, h, m, af, direction, reason,
-                                   mr->r, a, ruleset, pd);
-       }
+       if (r->log)
+               PFLOG_PACKET(kif, h, m, af, direction, reason,
+                   r, a, ruleset, pd);
 
        if ((r->action == PF_DROP) &&
            ((r->rule_flag & PFRULE_RETURNRST) ||

Re: pflog overhaul

Reply via email to