Hi, Sometimes an uid is logged in pflog(4) although the logopt of the rule does not specify it. Check the option again for the log rule in case another rule has triggered a socket lookup. Remove logopt group, it is not documented and cannot work as struct pfloghdr does not contain a gid. Rename PF_LOG_SOCKET_LOOKUP to PF_LOG_USER to express what it does. The lookup involved is only an implemntation detail.
ok? bluhm Index: sys/net/if_pflog.c =================================================================== RCS file: /data/mirror/openbsd/cvs/src/sys/net/if_pflog.c,v retrieving revision 1.91 diff -u -p -r1.91 if_pflog.c --- sys/net/if_pflog.c 28 Aug 2020 12:01:48 -0000 1.91 +++ sys/net/if_pflog.c 11 Jan 2021 14:44:55 -0000 @@ -253,9 +253,9 @@ pflog_packet(struct pf_pdesc *pd, u_int8 strlcpy(hdr.ruleset, ruleset->anchor->name, sizeof(hdr.ruleset)); } - if (trigger->log & PF_LOG_SOCKET_LOOKUP && !pd->lookup.done) + if (trigger->log & PF_LOG_USER && !pd->lookup.done) pd->lookup.done = pf_socket_lookup(pd); - if (pd->lookup.done > 0) { + if (trigger->log & PF_LOG_USER && pd->lookup.done > 0) { hdr.uid = pd->lookup.uid; hdr.pid = pd->lookup.pid; } else { Index: sys/net/pfvar.h =================================================================== RCS file: /data/mirror/openbsd/cvs/src/sys/net/pfvar.h,v retrieving revision 1.497 diff -u -p -r1.497 pfvar.h --- sys/net/pfvar.h 14 Oct 2020 19:22:14 -0000 1.497 +++ sys/net/pfvar.h 11 Jan 2021 14:46:54 -0000 @@ -156,7 +156,7 @@ enum { PF_ADDR_ADDRMASK, PF_ADDR_NOROUTE #define PF_LOG 0x01 #define PF_LOG_ALL 0x02 -#define PF_LOG_SOCKET_LOOKUP 0x04 +#define PF_LOG_USER 0x04 #define PF_LOG_FORCE 0x08 #define PF_LOG_MATCHES 0x10 Index: sbin/pfctl/parse.y =================================================================== RCS file: /data/mirror/openbsd/cvs/src/sbin/pfctl/parse.y,v retrieving revision 1.707 diff -u -p -r1.707 parse.y --- sbin/pfctl/parse.y 16 Dec 2020 18:01:16 -0000 1.707 +++ sbin/pfctl/parse.y 11 Jan 2021 14:44:46 -0000 @@ -2409,8 +2409,7 @@ logopts : logopt { $$ = $1; } logopt : ALL { $$.log = PF_LOG_ALL; $$.logif = 0; } | MATCHES { $$.log = PF_LOG_MATCHES; $$.logif = 0; } - | USER { $$.log = PF_LOG_SOCKET_LOOKUP; $$.logif = 0; } - | GROUP { $$.log = PF_LOG_SOCKET_LOOKUP; $$.logif = 0; } + | USER { $$.log = PF_LOG_USER; $$.logif = 0; } | TO string { const char *errstr; u_int i; Index: sbin/pfctl/pfctl_parser.c =================================================================== RCS file: /data/mirror/openbsd/cvs/src/sbin/pfctl/pfctl_parser.c,v retrieving revision 1.344 diff -u -p -r1.344 pfctl_parser.c --- sbin/pfctl/pfctl_parser.c 29 Dec 2020 19:50:28 -0000 1.344 +++ sbin/pfctl/pfctl_parser.c 11 Jan 2021 14:44:26 -0000 @@ -795,7 +795,7 @@ print_rule(struct pf_rule *r, const char printf("%sall", count++ ? ", " : ""); if (r->log & PF_LOG_MATCHES) printf("%smatches", count++ ? ", " : ""); - if (r->log & PF_LOG_SOCKET_LOOKUP) + if (r->log & PF_LOG_USER) printf("%suser", count++ ? ", " : ""); if (r->logif) printf("%sto pflog%u", count++ ? ", " : "",