Hi,
Sometimes an uid is logged in pflog(4) although the logopt of the
rule does not specify it. Check the option again for the log rule
in case another rule has triggered a socket lookup. Remove logopt
group, it is not documented and cannot work as struct pfloghdr does
not contain a gid. Rename PF_LOG_SOCKET_LOOKUP to PF_LOG_USER to
express what it does. The lookup involved is only an implemntation
detail.
ok?
bluhm
Index: sys/net/if_pflog.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/net/if_pflog.c,v
retrieving revision 1.91
diff -u -p -r1.91 if_pflog.c
--- sys/net/if_pflog.c 28 Aug 2020 12:01:48 -0000 1.91
+++ sys/net/if_pflog.c 11 Jan 2021 14:44:55 -0000
@@ -253,9 +253,9 @@ pflog_packet(struct pf_pdesc *pd, u_int8
strlcpy(hdr.ruleset, ruleset->anchor->name,
sizeof(hdr.ruleset));
}
- if (trigger->log & PF_LOG_SOCKET_LOOKUP && !pd->lookup.done)
+ if (trigger->log & PF_LOG_USER && !pd->lookup.done)
pd->lookup.done = pf_socket_lookup(pd);
- if (pd->lookup.done > 0) {
+ if (trigger->log & PF_LOG_USER && pd->lookup.done > 0) {
hdr.uid = pd->lookup.uid;
hdr.pid = pd->lookup.pid;
} else {
Index: sys/net/pfvar.h
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/net/pfvar.h,v
retrieving revision 1.497
diff -u -p -r1.497 pfvar.h
--- sys/net/pfvar.h 14 Oct 2020 19:22:14 -0000 1.497
+++ sys/net/pfvar.h 11 Jan 2021 14:46:54 -0000
@@ -156,7 +156,7 @@ enum { PF_ADDR_ADDRMASK, PF_ADDR_NOROUTE
#define PF_LOG 0x01
#define PF_LOG_ALL 0x02
-#define PF_LOG_SOCKET_LOOKUP 0x04
+#define PF_LOG_USER 0x04
#define PF_LOG_FORCE 0x08
#define PF_LOG_MATCHES 0x10
Index: sbin/pfctl/parse.y
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sbin/pfctl/parse.y,v
retrieving revision 1.707
diff -u -p -r1.707 parse.y
--- sbin/pfctl/parse.y 16 Dec 2020 18:01:16 -0000 1.707
+++ sbin/pfctl/parse.y 11 Jan 2021 14:44:46 -0000
@@ -2409,8 +2409,7 @@ logopts : logopt { $$ =
$1; }
logopt : ALL { $$.log = PF_LOG_ALL; $$.logif = 0; }
| MATCHES { $$.log = PF_LOG_MATCHES; $$.logif = 0; }
- | USER { $$.log = PF_LOG_SOCKET_LOOKUP; $$.logif = 0; }
- | GROUP { $$.log = PF_LOG_SOCKET_LOOKUP; $$.logif = 0; }
+ | USER { $$.log = PF_LOG_USER; $$.logif = 0; }
| TO string {
const char *errstr;
u_int i;
Index: sbin/pfctl/pfctl_parser.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sbin/pfctl/pfctl_parser.c,v
retrieving revision 1.344
diff -u -p -r1.344 pfctl_parser.c
--- sbin/pfctl/pfctl_parser.c 29 Dec 2020 19:50:28 -0000 1.344
+++ sbin/pfctl/pfctl_parser.c 11 Jan 2021 14:44:26 -0000
@@ -795,7 +795,7 @@ print_rule(struct pf_rule *r, const char
printf("%sall", count++ ? ", " : "");
if (r->log & PF_LOG_MATCHES)
printf("%smatches", count++ ? ", " : "");
- if (r->log & PF_LOG_SOCKET_LOOKUP)
+ if (r->log & PF_LOG_USER)
printf("%suser", count++ ? ", " : "");
if (r->logif)
printf("%sto pflog%u", count++ ? ", " : "",
