From nobody Tue Dec 28 06:57:48 2021
X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id A4D9819089F1
	for <freebsd-pf@mlmmj.nyi.freebsd.org>; Tue, 28 Dec 2021 06:58:05 +0000 (UTC)
	(envelope-from ozkan.kirik@gmail.com)
Received: from mail-ua1-x936.google.com (mail-ua1-x936.google.com [IPv6:2607:f8b0:4864:20::936])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4JNQNF3w2Lz4ncB
	for <freebsd-pf@freebsd.org>; Tue, 28 Dec 2021 06:58:05 +0000 (UTC)
	(envelope-from ozkan.kirik@gmail.com)
Received: by mail-ua1-x936.google.com with SMTP id i5so15523596uaq.10
        for <freebsd-pf@freebsd.org>; Mon, 27 Dec 2021 22:58:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc:content-transfer-encoding;
        bh=KdyrDQqK6+3BFQ+Znew++bqJcsd6MQVNErAYTYcGLGA=;
        b=G7KPCoa9gHVDseRvgaOXW0S9GOZfcTat3yW6iMQeSOpiR+WteUE307lX2hOeUy4k52
         QA1RJoJarW+Bpr6US1hXFRlwsl6KqIWEVxKFYYPcbo/iQd4cND6Pfy+NelK0kGngMLAZ
         kIXb8pDNo3ihTXrZtCTHuS2yvScF2eSJcYNXVWNhwCK1gSWdYpoxVBoYtHqO7nBSw44O
         ZC4IXvzl9uvsDQb6sIhY79bZwCE0AeShnFy5VJ/jACtkK+tzfCMYTKRjbwU56LJ+ppZt
         CyzNpaUF8UMUIIUHPsIKUeKyQ7vcVy95LVTQFlIw7R+Sqy3AjMIAFoubIrrG8OO3lvRN
         blww==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc:content-transfer-encoding;
        bh=KdyrDQqK6+3BFQ+Znew++bqJcsd6MQVNErAYTYcGLGA=;
        b=u7s2nEvnGlitSkx4MP6GSUh4hFOu3rec1+UEKmFOuAB+F/ls+Qm8zX2dL4m59RP0P4
         8U+uriIrKwLgv8ZZq161dGR0TsryCCyxoz1mRX17O0musSS/LS44hzxej3unF3IZJns+
         YFjwPMksBFoMq/0/7EQXCRL78c4DvZCmjiZzvIg6pmBSzSpFtSVxFrOKCsCg2CFtN6cX
         qDLSxq928+ASun2yJ0TlE9mIOtsLgVb76ghTqsyBgGJgTYmgJzDlc6HrQM2Ivu9oHjhH
         D1bj7L8cNfvc8nZAOCzW+hfpb8TJTW7rqCNJi/EOAgTp7WzeLDJNChgnb/kY+Jw+EhYT
         /pnA==
X-Gm-Message-State: AOAM533sgPMlCdtWc8F7xWhTKEA2NtAJoU2E3oL68nr6CTC0KXD9Ckhu
	MzdGvOPWVIJYE08lqrazFp9H7NUVXrWuUR/JuCWpwLNKqIo=
X-Google-Smtp-Source: ABdhPJwUM3tFQbc7so82WeVACR55v4P/UwjLMQD1MtDEiWBXGaEshkTzCLD+US3DkyzCT+cyTM4/KCoF9JAYFfY0QKg=
X-Received: by 2002:a05:6102:3052:: with SMTP id w18mr5614896vsa.31.1640674679544;
 Mon, 27 Dec 2021 22:57:59 -0800 (PST)
List-Id: Technical discussion and general questions about packet filter (pf) <freebsd-pf.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-pf
List-Help: <mailto:pf+help@freebsd.org>
List-Post: <mailto:pf@freebsd.org>
List-Subscribe: <mailto:pf+subscribe@freebsd.org>
List-Unsubscribe: <mailto:pf+unsubscribe@freebsd.org>
Sender: owner-freebsd-pf@freebsd.org
X-BeenThere: freebsd-pf@freebsd.org
MIME-Version: 1.0
References: <CAAcX-AEJ-gc-FWdx_zKS7n8_=n7V98w2Sahvsvu9XLozZP949g@mail.gmail.com>
 <C3DF6003-A39A-4C23-9AC5-076D44FC2404@lastsummer.de> <CAAcX-AHdUU47s3E4fitCxCWZ+hfDfi3fPjGq+5sQ7Ff859dKCA@mail.gmail.com>
 <CAAcX-AEnDwo7ZMfKoEm1BG6OM-7_uNDyJWSmOqeKMa=WwMx9=A@mail.gmail.com>
In-Reply-To: <CAAcX-AEnDwo7ZMfKoEm1BG6OM-7_uNDyJWSmOqeKMa=WwMx9=A@mail.gmail.com>
From: =?UTF-8?B?w5Z6a2FuIEtJUklL?= <ozkan.kirik@gmail.com>
Date: Tue, 28 Dec 2021 09:57:48 +0300
Message-ID: <CAAcX-AG-3myNw2FTWe=yXE+can+Ye3mctbWfx86aMrGXFEvauw@mail.gmail.com>
Subject: Re: Logging NAT translations and correlating nat & rule logs
To: Franco Fichtner <franco@lastsummer.de>
Cc: freebsd-pf@freebsd.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Rspamd-Queue-Id: 4JNQNF3w2Lz4ncB
X-Spamd-Bar: ----
Authentication-Results: mx1.freebsd.org;
	none
X-Spamd-Result: default: False [-4.00 / 15.00];
	 REPLY(-4.00)[];
	 TAGGED_FROM(0.00)[]
X-ThisMailContainsUnwantedMimeParts: N

And also, rule number and subrulenr information is missing.

On Tue, Dec 28, 2021 at 7:50 AM =C3=96zkan KIRIK <ozkan.kirik@gmail.com> wr=
ote:
>
> Hi,
>
> I've cherry picked 8e496ea1df1 commit to stable/12 on my local branch.
> Patch works properly.
> But the ruleset section in the pflog header is empty. The anchor name
> of rdr rule was not filled into the pflog header.
>
> I'm also looking for a packet identifier for aggregating the nat and
> rule logs of the same traversing packet.
> Does it make sense to use ip.id field of ip header within 1 second
> time window for aggregating logs ?
>
> Thanks and regards
>
> On Wed, Dec 1, 2021 at 4:23 PM =C3=96zkan KIRIK <ozkan.kirik@gmail.com> w=
rote:
> >
> > Thank you Franco, I'll test it
> >
> > On Wed, Dec 1, 2021 at 4:10 PM Franco Fichtner <franco@lastsummer.de> w=
rote:
> > >
> > > Hi =C3=96zkan,
> > >
> > > > On 28. Nov 2021, at 8:06 PM, =C3=96zkan KIRIK <ozkan.kirik@gmail.co=
m> wrote:
> > > >
> > > > I'm trying to log NAT, BINAT, RDR translations. But the "nat log on
> > > > ...." statement only logs the packets after translation is done. So
> > > > the information before translation is lost.
> > > > Is there a way to log the translation details ?
> > >
> > > https://github.com/freebsd/freebsd-src/commit/8e496ea1df1 was introdu=
ced
> > > to address this but has not been moved to stable/12 or stable/13.
> > >
> > > I see there is some controversy around patches that made it to stable
> > > for less so I'd probably advocate to add this patch as well since it
> > > solves a longterm issue with NAT logging visibility.
> > >
> > >
> > > Cheers,
> > > Franco