Stuart Henderson([email protected]) on 2017.04.21 10:21:56 +0100:
> Currently LOG_NOTICE is used for some things which are rather common,
> as well as some things which are unusual. So, if you want to find the
> unusual things, depending on your ruleset you can have a lot of noise
> and perhaps a lot of load due to the logging.
>
> This diff moves these to LOG_INFO (which is currently unused in PF).
> With it I can now run with "pfctl -xn" to log things like loose state
> matches, state failure, missing fragments, etc, without several lines
> from each osfp match, "selected address" for translation rules, etc.
>
> OK?
ok and thanks!
> Index: pf_lb.c
> ===================================================================
> RCS file: /cvs/src/sys/net/pf_lb.c,v
> retrieving revision 1.59
> diff -u -p -r1.59 pf_lb.c
> --- pf_lb.c 8 Feb 2017 01:20:40 -0000 1.59
> +++ pf_lb.c 21 Apr 2017 09:13:17 -0000
> @@ -619,9 +619,9 @@ pf_map_addr(sa_family_t af, struct pf_ru
> return (1);
> }
>
> - if (pf_status.debug >= LOG_NOTICE &&
> + if (pf_status.debug >= LOG_INFO &&
> (rpool->opts & PF_POOL_TYPEMASK) != PF_POOL_NONE) {
> - log(LOG_NOTICE, "pf: pf_map_addr: selected address ");
> + log(LOG_INFO, "pf: pf_map_addr: selected address ");
> pf_print_host(naddr, 0, af);
> if ((rpool->opts & PF_POOL_TYPEMASK) ==
> PF_POOL_LEASTSTATES)
> @@ -707,8 +707,8 @@ pf_get_transaddr_af(struct pf_rule *r, s
> u_int16_t nport;
> int prefixlen = 96;
>
> - if (pf_status.debug >= LOG_NOTICE) {
> - log(LOG_NOTICE, "pf: af-to %s %s, ",
> + if (pf_status.debug >= LOG_INFO) {
> + log(LOG_INFO, "pf: af-to %s %s, ",
> pd->naf == AF_INET ? "inet" : "inet6",
> r->rdr.addr.type == PF_ADDR_NONE ? "nat" : "rdr");
> pf_print_host(&pd->nsaddr, pd->nsport, pd->af);
> @@ -815,8 +815,8 @@ pf_get_transaddr_af(struct pf_rule *r, s
> PF_ACPY(&pd->nsaddr, &nsaddr, pd->naf);
> PF_ACPY(&pd->ndaddr, &ndaddr, pd->naf);
>
> - if (pf_status.debug >= LOG_NOTICE) {
> - log(LOG_NOTICE, "pf: af-to %s %s done, prefixlen %d, ",
> + if (pf_status.debug >= LOG_INFO) {
> + log(LOG_INFO, "pf: af-to %s %s done, prefixlen %d, ",
> pd->naf == AF_INET ? "inet" : "inet6",
> r->rdr.addr.type == PF_ADDR_NONE ? "nat" : "rdr",
> prefixlen);
> @@ -904,8 +904,8 @@ pf_postprocess_addr(struct pf_state *cur
> }
> }
> if (slbcount > -1) {
> - if (pf_status.debug >= LOG_NOTICE) {
> - log(LOG_NOTICE, "pf: %s: selected address ", __func__);
> + if (pf_status.debug >= LOG_INFO) {
> + log(LOG_INFO, "pf: %s: selected address ", __func__);
> pf_print_host(&lookup_addr, sks->port[0],
> sks->af);
> addlog(" decreased state count to %u\n",
> Index: pf_norm.c
> ===================================================================
> RCS file: /cvs/src/sys/net/pf_norm.c,v
> retrieving revision 1.202
> diff -u -p -r1.202 pf_norm.c
> --- pf_norm.c 17 Mar 2017 17:19:16 -0000 1.202
> +++ pf_norm.c 21 Apr 2017 09:13:17 -0000
> @@ -286,7 +286,7 @@ pf_fillup_fragment(struct pf_fragment_cm
> goto bad_fragment;
> }
>
> - DPFPRINTF(LOG_NOTICE, key->fr_af == AF_INET ?
> + DPFPRINTF(LOG_INFO, key->fr_af == AF_INET ?
> "reass frag %d @ %d-%d" : "reass frag %#08x @ %d-%d",
> key->fr_id, frent->fe_off, frent->fe_off + frent->fe_len);
>
> @@ -456,7 +456,7 @@ pf_isfull_fragment(struct pf_fragment *f
> return (0);
> }
> }
> - DPFPRINTF(LOG_NOTICE, "%d < %d?", off, total);
> + DPFPRINTF(LOG_INFO, "%d < %d?", off, total);
> if (off < total)
> return (0);
> KASSERT(off == total);
> @@ -569,7 +569,7 @@ pf_reassemble(struct mbuf **m0, int dir,
> return (PF_DROP);
> }
>
> - DPFPRINTF(LOG_NOTICE, "complete: %p(%d)", m, ntohs(ip->ip_len));
> + DPFPRINTF(LOG_INFO, "complete: %p(%d)", m, ntohs(ip->ip_len));
> return (PF_PASS);
> }
>
> @@ -676,7 +676,7 @@ pf_reassemble6(struct mbuf **m0, struct
> return (PF_DROP);
> }
>
> - DPFPRINTF(LOG_NOTICE, "complete: %p(%d)", m, ntohs(ip6->ip6_plen));
> + DPFPRINTF(LOG_INFO, "complete: %p(%d)", m, ntohs(ip6->ip6_plen));
> return (PF_PASS);
>
> fail:
> Index: pf_osfp.c
> ===================================================================
> RCS file: /cvs/src/sys/net/pf_osfp.c,v
> retrieving revision 1.39
> diff -u -p -r1.39 pf_osfp.c
> --- pf_osfp.c 22 Nov 2016 19:29:54 -0000 1.39
> +++ pf_osfp.c 21 Apr 2017 09:13:17 -0000
> @@ -238,7 +238,7 @@ pf_osfp_fingerprint_hdr(const struct ip
> optlen = MAX(optlen, 1); /* paranoia */
> }
>
> - DPFPRINTF(LOG_NOTICE,
> + DPFPRINTF(LOG_INFO,
> "fingerprinted %s:%d %d:%d:%d:%d:%llx (%d) "
> "(TS=%s,M=%s%d,W=%s%d)",
> srcname, ntohs(tcp->th_sport),
> @@ -269,7 +269,7 @@ pf_osfp_match(struct pf_osfp_enlist *lis
> if (os == PF_OSFP_ANY)
> return (1);
> if (list == NULL) {
> - DPFPRINTF(LOG_NOTICE, "osfp no match against %x", os);
> + DPFPRINTF(LOG_INFO, "osfp no match against %x", os);
> return (os == PF_OSFP_UNKNOWN);
> }
> PF_OSFP_UNPACK(os, os_class, os_version, os_subtype);
> @@ -278,14 +278,14 @@ pf_osfp_match(struct pf_osfp_enlist *lis
> if ((os_class == PF_OSFP_ANY || en_class == os_class) &&
> (os_version == PF_OSFP_ANY || en_version == os_version) &&
> (os_subtype == PF_OSFP_ANY || en_subtype == os_subtype)) {
> - DPFPRINTF(LOG_NOTICE,
> + DPFPRINTF(LOG_INFO,
> "osfp matched %s %s %s %x==%x",
> entry->fp_class_nm, entry->fp_version_nm,
> entry->fp_subtype_nm, os, entry->fp_os);
> return (1);
> }
> }
> - DPFPRINTF(LOG_NOTICE, "fingerprint 0x%x didn't match", os);
> + DPFPRINTF(LOG_INFO, "fingerprint 0x%x didn't match", os);
> return (0);
> }
>
>
