From nobody Fri Feb 21 08:11:48 2025 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YzjX42B5nz5pMSR; Fri, 21 Feb 2025 08:11:48 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4YzjX41RpBz3QFf; Fri, 21 Feb 2025 08:11:48 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1740125508; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=tYwH78Nugx3qqR0M+X6BGhI+XkBQyArQkVdfR1wB3Mo=; b=JatELM2jrhoZcMsaYqct7TBGebFJF4Q7ywz3PvbAQ3WNgwhNC8P+sIxloAhRtW/q+D2sqR cebosYi77SXrCiwrYnVVKFkxQ4iE6ets99FK9xYPe15rggpzqpVMzWwOGRAR0sJOyAGZIb GWztru6Fx4uwKaqMC7ONp1l7PnGkrlqgbBcqvrbOXsn9qApUEHZrKkWMY66ALaYBieTByT bTXqkJM2YTuPJlHKfK4BJyRkWz2jR9sPLwgTI12XwYtP6XVLZczHmvsC9NO5H9N19kVICw 7TWHJse/9GsdBRU+pjG0Lrto3VH0JitwSn/J6nTpUTgZlZGOyG/rpWD7l6OLIQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1740125508; a=rsa-sha256; cv=none; b=OuRN89SPh0sKTMV4pDwrMXU3eBHBwEzsChS8q/em0SQwXFRpCRBlGGyRAjGRNcLBjrzvz0 GQpO4q3No8PrW4V7ICj4/7J0TzlXuMHFF2XFkxKQS4wM+Qu2QqLrE2kpSCC8eSzvdyqFOd hOiMgqUGjbwsTR/s8LEY8cMA3vcK43xlAeDtThK8ERjLUL7HpIbEP74BdWBgH6jqa/vbXX aSavQXUaf30Lm5fiG6L8You/VWlom2MAV+FeDYW6GI1BLAckCHCmiL2w41ONC/nivpLNQ4 8wl68a5XqgMikCGmuqoLnHWdNh0vqOe6G4B5tD/Q363QwfV0rlIu006Ln13LQA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1740125508; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=tYwH78Nugx3qqR0M+X6BGhI+XkBQyArQkVdfR1wB3Mo=; b=NyzlAnyG5u33PPXaceLtetnR/AHNPatwGj8l9SAvskN5gcqex3vQzNZr7RM5MYXpudhXz4 AcKclkIYUrTGFXM3LfL+gh0BnyAIyF4WSrweCnWt2EhHQfLiWF0lRgEIBNiUB50VKenlO8 rqg14DEYT7Q9oj17aPLyiNwKvWngv60dX1dHOtE00Gbtlwfs4GjAS7K3EUoCcPCZodJzOZ R/9p2FOXTpbOONkngqifJxnpdcnyr+z05q1B+Rv1oueYk2cPQ8V/1kAJPGfpt+jlbnTIJH T93nKihY9ZZpiQssRNLmj1HIL8s1k2hAL4Q1Qco7+abpqrNYVVTPgpJpQ9F4xg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4YzjX40qLyz1SC5; Fri, 21 Feb 2025 08:11:48 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 51L8BmP9076749; Fri, 21 Feb 2025 08:11:48 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 51L8Bm6A076720; Fri, 21 Feb 2025 08:11:48 GMT (envelope-from git) Date: Fri, 21 Feb 2025 08:11:48 GMT Message-Id: <202502210811.51L8Bm6A076720@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kristof Provost Subject: git: 1ba1e152f888 - main - pf: make log(matches) more useful List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 1ba1e152f8889865e58df6c64d1e595f81f0babc Auto-Submitted: auto-generated The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=1ba1e152f8889865e58df6c64d1e595f81f0babc commit 1ba1e152f8889865e58df6c64d1e595f81f0babc Author: Kristof Provost AuthorDate: 2025-02-14 10:06:26 +0000 Commit: Kristof Provost CommitDate: 2025-02-21 08:11:03 +0000 pf: make log(matches) more useful change log(matches) semantics slightly to make it more useful. since it is a debug tool change of semantics not considered problematic. up until now, log(matches) forced logging on subsequent matching rules, the actual logging used the log settings from that matched rule. now, log(matches) causes subsequent matches to be logged with the log settings from the log(matches) rule. in particular (this was the driving point), log(matches, to pflog23) allows you to have the trace log going to a seperate pflog interface, not clobbering your regular pflogs, actually not affecting them at all. long conversation with bluhm about it, which didn't lead to a single bit changed in the diff but was very very helpful. ok bluhm as well. Obtained from: OpenBSD, henning , f61b1efcce Sponsored by: Rubicon Communications, LLC ("Netgate") --- sys/net/if_pflog.h | 4 ++-- sys/net/pfvar.h | 2 +- sys/netpfil/pf/if_pflog.c | 11 +++++++---- sys/netpfil/pf/pf.c | 41 ++++++++++++++++++++++++++++++----------- sys/netpfil/pf/pf_norm.c | 6 +++--- 5 files changed, 43 insertions(+), 21 deletions(-) diff --git a/sys/net/if_pflog.h b/sys/net/if_pflog.h index dc22c05cdea0..906f700b54e3 100644 --- a/sys/net/if_pflog.h +++ b/sys/net/if_pflog.h @@ -69,9 +69,9 @@ struct pf_ruleset; struct pfi_kif; struct pf_pdesc; -#define PFLOG_PACKET(b,t,c,d,e,f,g) do { \ +#define PFLOG_PACKET(b,t,c,d,e,f,g,h) do { \ if (pflog_packet_ptr != NULL) \ - pflog_packet_ptr(b,t,c,d,e,f,g); \ + pflog_packet_ptr(b,t,c,d,e,f,g,h); \ } while (0) #endif /* _KERNEL */ #endif /* _NET_IF_PFLOG_H_ */ diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index 0295bcc125f8..b481f767725d 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -1277,7 +1277,7 @@ struct pf_kruleset; struct pf_pdesc; typedef int pflog_packet_t(uint8_t, u_int8_t, struct pf_krule *, struct pf_krule *, struct pf_kruleset *, - struct pf_pdesc *, int); + struct pf_pdesc *, int, struct pf_krule *); extern pflog_packet_t *pflog_packet_ptr; #endif /* _KERNEL */ diff --git a/sys/netpfil/pf/if_pflog.c b/sys/netpfil/pf/if_pflog.c index 016ff96b02b4..6a87ea2471cb 100644 --- a/sys/netpfil/pf/if_pflog.c +++ b/sys/netpfil/pf/if_pflog.c @@ -243,18 +243,21 @@ pflogioctl(struct ifnet *ifp, u_long cmd, caddr_t data) static int pflog_packet(uint8_t action, u_int8_t reason, struct pf_krule *rm, struct pf_krule *am, - struct pf_kruleset *ruleset, struct pf_pdesc *pd, int lookupsafe) + struct pf_kruleset *ruleset, struct pf_pdesc *pd, int lookupsafe, + struct pf_krule *trigger) { struct ifnet *ifn; struct pfloghdr hdr; if (rm == NULL || pd == NULL) return (1); + if (trigger == NULL) + trigger = rm; - if (rm->logif > V_npflogifs) + if (trigger->logif > V_npflogifs) return (0); - ifn = V_pflogifs[rm->logif]; + ifn = V_pflogifs[trigger->logif]; if (ifn == NULL || !bpf_peers_present(ifn->if_bpf)) return (0); @@ -281,7 +284,7 @@ pflog_packet(uint8_t action, u_int8_t reason, * state lock, since this leads to unsafe LOR. * These conditions are very very rare, however. */ - if (rm->log & PF_LOG_SOCKET_LOOKUP && !pd->lookup.done && lookupsafe) + if (trigger->log & PF_LOG_SOCKET_LOOKUP && !pd->lookup.done && lookupsafe) pd->lookup.done = pf_socket_lookup(pd); if (pd->lookup.done > 0) hdr.uid = pd->lookup.uid; diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index e8b7a071a3c9..153fd11f1d2c 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -386,6 +386,9 @@ static int pf_match_rcvif(struct mbuf *, struct pf_krule *); static void pf_counters_inc(int, struct pf_pdesc *, struct pf_kstate *, struct pf_krule *, struct pf_krule *); +static void pf_log_matches(struct pf_pdesc *, struct pf_krule *, + struct pf_krule *, struct pf_kruleset *, + struct pf_krule_slist *); static void pf_overload_task(void *v, int pending); static u_short pf_insert_src_node(struct pf_ksrc_node *[PF_SN_MAX], struct pf_srchash *[PF_SN_MAX], struct pf_krule *, @@ -5535,7 +5538,7 @@ pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, if (nr->log) { PFLOG_PACKET(nr->action, PFRES_MATCH, nr, a, - ruleset, pd, 1); + ruleset, pd, 1, NULL); } if (pd->ip_sum) @@ -5826,18 +5829,17 @@ pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, goto cleanup; } } - if (r->log || pd->act.log & PF_LOG_MATCHES) + if (r->log) PFLOG_PACKET(r->action, PFRES_MATCH, r, - a, ruleset, pd, 1); + a, ruleset, pd, 1, NULL); } else { match = asd; *rm = r; *am = a; *rsm = ruleset; - if (pd->act.log & PF_LOG_MATCHES) - PFLOG_PACKET(r->action, PFRES_MATCH, r, - a, ruleset, pd, 1); } + if (pd->act.log & PF_LOG_MATCHES) + pf_log_matches(pd, r, a, ruleset, &match_rules); if (r->quick) break; r = TAILQ_NEXT(r, entries); @@ -5866,12 +5868,13 @@ nextrule: } } - if (r->log || pd->act.log & PF_LOG_MATCHES) { + if (r->log) { if (rewrite) m_copyback(pd->m, pd->off, pd->hdrlen, pd->hdr.any); - PFLOG_PACKET(r->action, reason, r, a, ruleset, pd, 1); + PFLOG_PACKET(r->action, reason, r, a, ruleset, pd, 1, NULL); } - + if (pd->act.log & PF_LOG_MATCHES) + pf_log_matches(pd, r, a, ruleset, &match_rules); if (pd->virtual_proto != PF_VPROTO_FRAGMENT && (r->action == PF_DROP) && ((r->rule_flag & PFRULE_RETURNRST) || @@ -10092,6 +10095,22 @@ pf_counters_inc(int action, struct pf_pdesc *pd, } pf_counter_u64_critical_exit(); } +static void +pf_log_matches(struct pf_pdesc *pd, struct pf_krule *rm, + struct pf_krule *am, struct pf_kruleset *ruleset, + struct pf_krule_slist *matchrules) +{ + struct pf_krule_item *ri; + + /* if this is the log(matches) rule, packet has been logged already */ + if (rm->log & PF_LOG_MATCHES) + return; + + SLIST_FOREACH(ri, matchrules, entry) + if (ri->r->log & PF_LOG_MATCHES) + PFLOG_PACKET(rm->action, PFRES_MATCH, rm, am, + ruleset, pd, 1, ri->r); +} #if defined(INET) || defined(INET6) int @@ -10495,12 +10514,12 @@ done: if (pd.act.log & PF_LOG_FORCE || lr->log & PF_LOG_ALL) PFLOG_PACKET(action, reason, lr, a, - ruleset, &pd, (s == NULL)); + ruleset, &pd, (s == NULL), NULL); if (s) { SLIST_FOREACH(ri, &s->match_rules, entry) if (ri->r->log & PF_LOG_ALL) PFLOG_PACKET(action, - reason, ri->r, a, ruleset, &pd, 0); + reason, ri->r, a, ruleset, &pd, 0, NULL); } } diff --git a/sys/netpfil/pf/pf_norm.c b/sys/netpfil/pf/pf_norm.c index 57b9549df5e0..ac74434cf2b7 100644 --- a/sys/netpfil/pf/pf_norm.c +++ b/sys/netpfil/pf/pf_norm.c @@ -1217,7 +1217,7 @@ pf_normalize_ip(u_short *reason, struct pf_pdesc *pd) REASON_SET(reason, PFRES_FRAG); drop: if (r != NULL && r->log) - PFLOG_PACKET(PF_DROP, *reason, r, NULL, NULL, pd, 1); + PFLOG_PACKET(PF_DROP, *reason, r, NULL, NULL, pd, 1, NULL); return (PF_DROP); } @@ -1421,7 +1421,7 @@ pf_normalize_tcp(struct pf_pdesc *pd) tcp_drop: REASON_SET(&reason, PFRES_NORM); if (rm != NULL && r->log) - PFLOG_PACKET(PF_DROP, reason, r, NULL, NULL, pd, 1); + PFLOG_PACKET(PF_DROP, reason, r, NULL, NULL, pd, 1, NULL); return (PF_DROP); } @@ -2185,7 +2185,7 @@ sctp_drop: REASON_SET(&reason, PFRES_NORM); if (rm != NULL && r->log) PFLOG_PACKET(PF_DROP, reason, r, NULL, NULL, pd, - 1); + 1, NULL); return (PF_DROP); }