From nobody Thu Mar 10 13:03:26 2022
X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 9F2BE1A0EDD4;
	Thu, 10 Mar 2022 13:03:26 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4KDq4Z3lQrz573w;
	Thu, 10 Mar 2022 13:03:26 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1646917406;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=a9RP9bv2l4XQ/uoB2kUIaV0fPT8QgLE4Y4BgPjSkpRU=;
	b=jDcp+Pqv7EdzygtXEoabZz+KxpLzLha8Kd5iz/6SjgNoGQvpSaIrIi8Iy+vLfZARyRwSeh
	u9ZjgsM7vrJZ25yjA+++F01NGsymlY8pmFF5IhA+g+NGUaWWvlB/1BVXASvioo3ixGJSNH
	P0Zqehv5ydDmGsACnqpb2j92J5uKdQKVLIWwG06RBvaTAGOjOhToRJvbGN4CgZRqnfMirm
	Sa/ggwEyWOfhSJXLUp4kz4b9SIzk3UOoagiuqcUR3BTqcUCSbogH+7zRYJt84f4pNDzw4q
	tqAbyztwHSCEbnI9l1F5V7XZ/QdMHfNlPI/F+cYRUrbYtXnFAS+4TofXGxxG/g==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 55D172570C;
	Thu, 10 Mar 2022 13:03:26 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 22AD3Qw3066708;
	Thu, 10 Mar 2022 13:03:26 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 22AD3Qch066707;
	Thu, 10 Mar 2022 13:03:26 GMT
	(envelope-from git)
Date: Thu, 10 Mar 2022 13:03:26 GMT
Message-Id: <202203101303.22AD3Qch066707@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Kristof Provost <kp@FreeBSD.org>
Subject: git: 0784121c963e - main - pfdenied: support reporting on additional anchors
List-Id: Commit messages for the main branch of the src repository <dev-commits-src-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main
List-Help: <mailto:dev-commits-src-main+help@freebsd.org>
List-Post: <mailto:dev-commits-src-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-main+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-main@freebsd.org
X-BeenThere: dev-commits-src-main@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: kp
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 0784121c963e39aa9e8b33c4e0a0c181daf75277
Auto-Submitted: auto-generated
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1646917406;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=a9RP9bv2l4XQ/uoB2kUIaV0fPT8QgLE4Y4BgPjSkpRU=;
	b=oVkoA0mLcxEN5i0zbAXLhoaL8W7DJ4eCRG/kRJ8AfVQJxTT7ZQuD/3Va4e73VqRO9fyVWC
	0kJRxsCQT1d2YcbsOL81Fx83BGq/NSo8q3IaxoidgWhIxPyhDVg8Fdo0RnvB2AmfuM7hXI
	LXS7JhZKD8wNNfPrcmlWWVtJC2FAaUqrD4eNDQxXOK7E/FfeFGiXRJIqF0mvbtp77rvBk6
	I1ab5gNWXxnTWnt2EX1c2HhyAd6JCSV2VNu0xBCWJmieXcSMVZg2IY+auZtZD3sVI4Vf8u
	7xG53TEcsfZ70eWtW5roFWp8nFyoiNZ+/Lr0TW/864e0x6EpJr30UV11+0BsBw==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1646917406; a=rsa-sha256; cv=none;
	b=xvg//qXlt63HvOVxnnEXoOSr67yi9BcdJG3W8sOJg3Y1pmeklreTq/8M1s1KMWpQSDUZWk
	w7gYnWay9h9g8m3oBVKORhr6vjUolU+CTgMWWLu9i8YVW+qNMHWFNc0UeVbSZTX8cFq93j
	ewsfYKDusNrjSA3HBkj/XaZVpX2twYXH3fo7nfSTRgAWgBSKA8ggVwussyEmqB16L3EYmM
	emyCPuJ7kjFiOScXotP7TFPA0dfLmK0mr0y3WgPHoQdXCL1yCus5OG2gx1YFgCgcX7pEFJ
	/fhtclB8NI1KQdrHVOhQ2qm2fBKIkU5Y/Fn2e+IjiN0qQmNBWfNqNu2WnobdVw==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
X-ThisMailContainsUnwantedMimeParts: N

The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=0784121c963e39aa9e8b33c4e0a0c181daf75277

commit 0784121c963e39aa9e8b33c4e0a0c181daf75277
Author:     Matteo Riondato <matteo@FreeBSD.org>
AuthorDate: 2022-03-09 14:02:11 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2022-03-10 11:08:59 +0000

    pfdenied: support reporting on additional anchors
    
    The security/520-pfdenied script only reports blocked packets from the
    main ruleset or any blocklistd(8) anchor.
    
    Add an option to periodic.conf(5) to make it possible to specify
    additional anchors to report.
    
    PR:             262446
    Reviewed by:    kp
---
 share/man/man5/periodic.conf.5              | 9 ++++++++-
 usr.sbin/periodic/etc/security/520.pfdenied | 2 +-
 usr.sbin/periodic/periodic.conf             | 1 +
 3 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/share/man/man5/periodic.conf.5 b/share/man/man5/periodic.conf.5
index 293a6a3e0cc3..119c49502c9d 100644
--- a/share/man/man5/periodic.conf.5
+++ b/share/man/man5/periodic.conf.5
@@ -25,7 +25,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd March 7, 2022
+.Dd March 9, 2022
 .Dt PERIODIC.CONF 5
 .Os
 .Sh NAME
@@ -960,6 +960,13 @@ Set to
 to show log entries for packets denied by
 .Xr pf 4
 since yesterday's check.
+.It Va security_status_pfdenied_additionalanchors
+.Pq Vt str
+Space-separated list of additional anchors whose denied packets log entries to
+show.
+The main ruleset (i.e., the empty-string anchor) and any
+.Xr blacklistd 8
+anchors, if present, are always shown.
 .It Va security_status_pfdenied_period
 .Pq Vt str
 Set to either
diff --git a/usr.sbin/periodic/etc/security/520.pfdenied b/usr.sbin/periodic/etc/security/520.pfdenied
index 69d9df78436b..b75f6224c328 100755
--- a/usr.sbin/periodic/etc/security/520.pfdenied
+++ b/usr.sbin/periodic/etc/security/520.pfdenied
@@ -44,7 +44,7 @@ rc=0
 if check_yesno_period security_status_pfdenied_enable
 then
 	TMP=`mktemp -t security`
-	for _a in "" $(pfctl -a "blacklistd" -sA 2>/dev/null)
+	for _a in "" $(pfctl -a "blacklistd" -sA 2>/dev/null) ${security_status_pfdenied_anchors}
 	do
 		pfctl -a "${_a}" -sr -v -z 2>/dev/null | \
 		nawk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); if ($5 > 0) print buf$0;} }' >> ${TMP}
diff --git a/usr.sbin/periodic/periodic.conf b/usr.sbin/periodic/periodic.conf
index ade62be10e96..61cebe858372 100644
--- a/usr.sbin/periodic/periodic.conf
+++ b/usr.sbin/periodic/periodic.conf
@@ -298,6 +298,7 @@ security_status_ipfdenied_period="daily"
 # 520.pfdenied
 security_status_pfdenied_enable="YES"
 security_status_pfdenied_period="daily"
+security_status_pfdenied_additionalanchors=""
 
 # 550.ipfwlimit
 security_status_ipfwlimit_enable="YES"