Page Menu
Home
FreeBSD
Search
Configure Global Search
Log In
Files
F96033001
D46588.diff
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Flag For Later
Award Token
Size
3 KB
Referenced Files
None
Subscribers
None
D46588.diff
View Options
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -507,7 +507,7 @@
%token REASSEMBLE ANCHOR NATANCHOR RDRANCHOR BINATANCHOR
%token SET OPTIMIZATION TIMEOUT LIMIT LOGINTERFACE BLOCKPOLICY FAILPOLICY
%token RANDOMID REQUIREORDER SYNPROXY FINGERPRINTS NOSYNC DEBUG SKIP HOSTID
-%token ANTISPOOF FOR INCLUDE KEEPCOUNTERS SYNCOOKIES L3
+%token ANTISPOOF FOR INCLUDE KEEPCOUNTERS SYNCOOKIES L3 MATCHES
%token ETHER
%token BITMASK RANDOM SOURCEHASH ROUNDROBIN STATICPORT PROBABILITY MAPEPORTSET
%token ALTQ CBQ CODEL PRIQ HFSC FAIRQ BANDWIDTH TBRSIZE LINKSHARE REALTIME
@@ -3222,6 +3222,7 @@
;
logopt : ALL { $$.log = PF_LOG_ALL; $$.logif = 0; }
+ | MATCHES { $$.log = PF_LOG_MATCHES; $$.logif = 0; }
| USER { $$.log = PF_LOG_SOCKET_LOOKUP; $$.logif = 0; }
| GROUP { $$.log = PF_LOG_SOCKET_LOOKUP; $$.logif = 0; }
| TO string {
@@ -6365,6 +6366,7 @@
{ "loginterface", LOGINTERFACE},
{ "map-e-portset", MAPEPORTSET},
{ "match", MATCH},
+ { "matches", MATCHES},
{ "max", MAXIMUM},
{ "max-mss", MAXMSS},
{ "max-src-conn", MAXSRCCONN},
diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c
--- a/sbin/pfctl/pfctl_parser.c
+++ b/sbin/pfctl/pfctl_parser.c
@@ -918,6 +918,8 @@
printf(" (");
if (r->log & PF_LOG_ALL)
printf("%sall", count++ ? ", " : "");
+ if (r->log & PF_LOG_MATCHES)
+ printf("%smatches", count++ ? ", " : "");
if (r->log & PF_LOG_SOCKET_LOOKUP)
printf("%suser", count++ ? ", " : "");
if (r->logif)
diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5
--- a/share/man/man5/pf.conf.5
+++ b/share/man/man5/pf.conf.5
@@ -1684,6 +1684,8 @@
.Ar log ,
packets are logged to
.Xr pflog 4 .
+.It Ar log (matches)
+Used to force logging of this packet on all subsequent matching rules.
.It Ar log (user)
Logs the
.Ux
@@ -3217,7 +3219,7 @@
hosts [ filteropt-list ]
logopts = logopt [ "," logopts ]
-logopt = "all" | "user" | "to" interface-name
+logopt = "all" | "matches" | "user" | "to" interface-name
etherfilteropt-list = etherfilteropt-list etherfilteropt | etherfilteropt
etherfilteropt = "tag" string | "tagged" string | "queue" ( string ) |
diff --git a/sys/netpfil/pf/pf.h b/sys/netpfil/pf/pf.h
--- a/sys/netpfil/pf/pf.h
+++ b/sys/netpfil/pf/pf.h
@@ -137,6 +137,7 @@
#define PF_LOG_ALL 0x02
#define PF_LOG_SOCKET_LOOKUP 0x04
#define PF_LOG_FORCE 0x08
+#define PF_LOG_MATCHES 0x10
/* Reasons code for passing/dropping a packet */
#define PFRES_MATCH 0 /* Explicit match of a rule */
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -5198,7 +5198,7 @@
pf_counter_u64_add_protected(&r->bytes[pd->dir == PF_OUT], pd->tot_len);
pf_counter_u64_critical_exit();
pf_rule_to_actions(r, &pd->act);
- if (r->log)
+ if (r->log || pd->act.log & PF_LOG_MATCHES)
PFLOG_PACKET(kif, m, af,
r->action, PFRES_MATCH, r,
a, ruleset, pd, 1);
@@ -5207,6 +5207,10 @@
*rm = r;
*am = a;
*rsm = ruleset;
+ if (pd->act.log & PF_LOG_MATCHES)
+ PFLOG_PACKET(kif, m, af,
+ r->action, PFRES_MATCH, r,
+ a, ruleset, pd, 1);
}
if ((*rm)->quick)
break;
@@ -5229,7 +5233,7 @@
/* apply actions for last matching pass/block rule */
pf_rule_to_actions(r, &pd->act);
- if (r->log) {
+ if (r->log || pd->act.log & PF_LOG_MATCHES) {
if (rewrite)
m_copyback(m, off, hdrlen, pd->hdr.any);
PFLOG_PACKET(kif, m, af, r->action, reason, r, a, ruleset, pd, 1);
File Metadata
Details
Attached
Mime Type
text/plain
Expires
Tue, Sep 24, 10:27 AM (22 h, 6 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
12655837
Default Alt Text
D46588.diff (3 KB)
Attached To
Mode
D46588: pf: add a new log opt PF_LOG_MATCHES
Attached
Detach File
Event Timeline
Log In to Comment