pflog: ruleset and subrulenr is missing for nat, rdr, binat

Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Özkan KIRIK <ozkan.kirik_at_gmail.com>
Date: Tue, 11 Jan 2022 17:50:47 UTC

Hi,

I'm using FreeBSD stable/12-n234401-66d9cbc5d269: Mon Dec 27 23:27:28 +03 2021.
The ruleset, subrulenr fields are not filled for nat, rdr, binat logs.
The basic test is below:

# pfctl -sn -a portFwd
rdr log (to pflog3) on em0 inet proto tcp from any to 172.16.33.10
port = ssh -> 192.168.33.1 port 22

# tcpdump -leqni pflog3
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog3, link-type PFLOG (OpenBSD pflog file), capture
size 262144 bytes
20:40:24.622962 rule 0/0(match): rdr in on em0: 172.16.33.1.33670 >
172.16.33.10.22: tcp 0

# tshark -Tjson -ni pflog3
[Capturing on 'pflog3'
 ** (tshark:19497) 20:42:08.788099 [Main MESSAGE] -- Capture started.
 ** (tshark:19497) 20:42:08.788304 [Main MESSAGE] -- File:
"/tmp/wireshark_pflog3HHKDF1.pcapng"
...
"pflog": {
  "pflog.length": "69",
  "pflog.af": "2",
  "pflog.action": "8",
  "pflog.reason": "0",
  "pflog.ifname": "em0",
  "pflog.ruleset": "",
  "pflog.rulenr": "0",
  "pflog.subrulenr": "-1",
  "pflog.uid": "-1",
  "pflog.pid": "-1601830656",
  "pflog.rule_uid": "0",
  "pflog.rule_pid": "-1190985728",
  "pflog.dir": "1",
  "pflog.pad": "00:00:00"
},
...

Is there any way to fill ruleset and subrulenr fields for nat, binat
and rdr actions ?

Regards
Ozkan.