change log(matches) semantics slightly to make it more useful. since it

is a debug tool change of semantics not considered problematic. up until now, log(matches) forced logging on subsequent matching rules, the actual logging used the log settings from that matched rule. now, log(matches) causes subsequent matches to be logged with the log settings from the log(matches) rule. in particular (this was the driving point), log(matches, to pflog23) allows you to have the trace log going to a seperate pflog interface, not clobbering your regular pflogs, actually not affecting them at all. long conversation with bluhm about it, which didn't lead to a single bit changed in the diff but was very very helpful. ok bluhm as well.
author: henning <henning@openbsd.org> 2015-02-12 01:24:10 +0000
committer: henning <henning@openbsd.org> 2015-02-12 01:24:10 +0000
commit: f61b1efccea797fa6960a16e5c6490f40a6ff5a0 (patch)
tree: 001158c850b148370f8f58e53ccf3815faefbde5
parent: ber_printf_elements should return NULL if any of its parts fail. (diff)
download: wireguard-openbsd-f61b1efccea797fa6960a16e5c6490f40a6ff5a0.tar.xz
wireguard-openbsd-f61b1efccea797fa6960a16e5c6490f40a6ff5a0.zip
4 files changed, 43 insertions, 21 deletions
diff --git a/sys/net/if_pflog.c b/sys/net/if_pflog.c
index dd23c716e52..82d9f990887 100644
--- a/sys/net/if_pflog.c
+++ b/sys/net/if_pflog.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: if_pflog.c,v 1.67 2014/12/19 17:14:39 tedu Exp $	*/
+/*	$OpenBSD: if_pflog.c,v 1.68 2015/02/12 01:24:10 henning Exp $	*/
 /*
  * The authors of this code are John Ioannidis (ji@tla.org),
  * Angelos D. Keromytis (kermit@csd.uch.gr) and 
@@ -241,7 +241,7 @@ pflogioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
 
 int
 pflog_packet(struct pf_pdesc *pd, u_int8_t reason, struct pf_rule *rm,
-    struct pf_rule *am, struct pf_ruleset *ruleset)
+    struct pf_rule *am, struct pf_ruleset *ruleset, struct pf_rule *trigger)
 {
 #if NBPFILTER > 0
 	struct ifnet *ifn;
@@ -249,9 +249,11 @@ pflog_packet(struct pf_pdesc *pd, u_int8_t reason, struct pf_rule *rm,
 
 	if (rm == NULL || pd == NULL || pd->kif == NULL || pd->m == NULL)
 		return (-1);
+	if (trigger == NULL)
+		trigger = rm;
 
-	if (rm->logif >= npflogifs || (ifn = pflogifs[rm->logif]) == NULL ||
-	    !ifn->if_bpf)
+	if (trigger->logif >= npflogifs || (ifn = pflogifs[trigger->logif]) ==
+	    NULL || !ifn->if_bpf)
 		return (0);
 
 	bzero(&hdr, sizeof(hdr));
@@ -270,7 +272,7 @@ pflog_packet(struct pf_pdesc *pd, u_int8_t reason, struct pf_rule *rm,
 			strlcpy(hdr.ruleset, ruleset->anchor->name,
 			    sizeof(hdr.ruleset));
 	}
-	if (rm->log & PF_LOG_SOCKET_LOOKUP && !pd->lookup.done)
+	if (trigger->log & PF_LOG_SOCKET_LOOKUP && !pd->lookup.done)
 		pd->lookup.done = pf_socket_lookup(pd);
 	if (pd->lookup.done > 0) {
 		hdr.uid = pd->lookup.uid;
diff --git a/sys/net/if_pflog.h b/sys/net/if_pflog.h
index 0a1bd38b534..851c76cc10b 100644
--- a/sys/net/if_pflog.h
+++ b/sys/net/if_pflog.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: if_pflog.h,v 1.25 2014/07/09 11:03:04 henning Exp $ */
+/* $OpenBSD: if_pflog.h,v 1.26 2015/02/12 01:24:10 henning Exp $ */
 /*
  * Copyright 2001 Niels Provos <provos@citi.umich.edu>
  * All rights reserved.
@@ -68,9 +68,9 @@ struct pflog_softc {
 };
 
 #if NPFLOG > 0
-#define	PFLOG_PACKET(a,b,c,d,e) pflog_packet(a,b,c,d,e)
+#define	PFLOG_PACKET(a,b,c,d,e,f) pflog_packet(a,b,c,d,e,f)
 #else
-#define	PFLOG_PACKET(a,b,c,d,e) ((void)0)
+#define	PFLOG_PACKET(a,b,c,d,e,f) ((void)0)
 #endif /* NPFLOG > 0 */
 #endif /* _KERNEL */
 #endif /* _NET_IF_PFLOG_H_ */
diff --git a/sys/net/pf.c b/sys/net/pf.c
index ec5f14a7f4d..31417a64fe3 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf.c,v 1.904 2015/02/10 09:28:40 henning Exp $ */
+/*	$OpenBSD: pf.c,v 1.905 2015/02/12 01:24:10 henning Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -232,6 +232,9 @@ int			 pf_step_out_of_anchor(int *, struct pf_ruleset **,
 void			 pf_counters_inc(int, struct pf_pdesc *,
 			    struct pf_state *, struct pf_rule *,
 			    struct pf_rule *);
+void			 pf_log_matches(struct pf_pdesc *, struct pf_rule *,
+			    struct pf_rule *, struct pf_ruleset *,
+			    struct pf_rule_slist *);
 
 extern struct pool pfr_ktable_pl;
 extern struct pool pfr_kentry_pl;
@@ -3254,9 +3257,10 @@ pf_test_rule(struct pf_pdesc *pd, struct pf_rule **rm, struct pf_state **sm,
 					REASON_SET(&reason, PFRES_TRANSLATE);
 					goto cleanup;
 				}
-				if (r->log || act.log & PF_LOG_MATCHES) {
+				if (r->log) {
 					REASON_SET(&reason, PFRES_MATCH);
-					PFLOG_PACKET(pd, reason, r, a, ruleset);
+					PFLOG_PACKET(pd, reason, r, a, ruleset,
+					    NULL);
 				}
 			} else {
 				match = asd;
@@ -3264,12 +3268,11 @@ pf_test_rule(struct pf_pdesc *pd, struct pf_rule **rm, struct pf_state **sm,
 				*am = a;
 				*rsm = ruleset;
 				arsm = aruleset;
-				if (act.log & PF_LOG_MATCHES) {
-					REASON_SET(&reason, PFRES_MATCH);
-					PFLOG_PACKET(pd, reason, r, a, ruleset);
-				}
 			}
 
+			if (act.log & PF_LOG_MATCHES)
+				pf_log_matches(pd, r, a, ruleset, &rules);
+
 			if (r->quick)
 				break;
 			r = TAILQ_NEXT(r, entries);
@@ -3298,8 +3301,10 @@ pf_test_rule(struct pf_pdesc *pd, struct pf_rule **rm, struct pf_state **sm,
 	}
 	REASON_SET(&reason, PFRES_MATCH);
 
-	if (r->log || act.log & PF_LOG_MATCHES)
-		PFLOG_PACKET(pd, reason, r, a, ruleset);
+	if (r->log)
+		PFLOG_PACKET(pd, reason, r, a, ruleset, NULL);
+	if (act.log & PF_LOG_MATCHES)
+		pf_log_matches(pd, r, a, ruleset, &rules);
 
 	if (pd->virtual_proto != PF_VPROTO_FRAGMENT &&
 	    (r->action == PF_DROP) &&
@@ -6549,12 +6554,12 @@ done:
 		struct pf_rule_item	*ri;
 
 		if (pd.pflog & PF_LOG_FORCE || r->log & PF_LOG_ALL)
-			PFLOG_PACKET(&pd, reason, r, a, ruleset);
+			PFLOG_PACKET(&pd, reason, r, a, ruleset, NULL);
 		if (s) {
 			SLIST_FOREACH(ri, &s->match_rules, entry)
 				if (ri->r->log & PF_LOG_ALL)
 					PFLOG_PACKET(&pd, reason, ri->r, a,
-					    ruleset);
+					    ruleset, NULL);
 		}
 	}
 
@@ -6684,3 +6689,18 @@ pf_pkt_addr_changed(struct mbuf *m)
 {
 	m->m_pkthdr.pf.statekey = NULL;
 }
+
+void
+pf_log_matches(struct pf_pdesc *pd, struct pf_rule *rm, struct pf_rule *am,
+    struct pf_ruleset *ruleset, struct pf_rule_slist *matchrules)
+{
+	struct pf_rule_item	*ri;
+
+	/* if this is the log(matches) rule, packet has been logged already */
+	if (rm->log & PF_LOG_MATCHES)
+		return;
+
+	SLIST_FOREACH(ri, matchrules, entry)
+		if (ri->r->log & PF_LOG_MATCHES)
+			PFLOG_PACKET(pd, PFRES_MATCH, rm, am, ruleset, ri->r);
+}
diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index 2a59eec3c67..92806086987 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfvar.h,v 1.411 2015/02/10 09:28:40 henning Exp $ */
+/*	$OpenBSD: pfvar.h,v 1.412 2015/02/12 01:24:10 henning Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -1815,7 +1815,7 @@ void	pf_change_a(struct pf_pdesc *, void *, u_int32_t);
 int	pf_check_proto_cksum(struct pf_pdesc *, int, int, u_int8_t,
 	    sa_family_t);
 int	pflog_packet(struct pf_pdesc *, u_int8_t, struct pf_rule *,
-	    struct pf_rule *, struct pf_ruleset *);
+	    struct pf_rule *, struct pf_ruleset *, struct pf_rule *);
 void	pf_send_deferred_syn(struct pf_state *);
 int	pf_match_addr(u_int8_t, struct pf_addr *, struct pf_addr *,
 	    struct pf_addr *, sa_family_t);
author	henning <henning@openbsd.org>	2015-02-12 01:24:10 +0000
committer	henning <henning@openbsd.org>	2015-02-12 01:24:10 +0000
commit	f61b1efccea797fa6960a16e5c6490f40a6ff5a0 (patch)
tree	001158c850b148370f8f58e53ccf3815faefbde5
parent	ber_printf_elements should return NULL if any of its parts fail. (diff)
download	wireguard-openbsd-f61b1efccea797fa6960a16e5c6490f40a6ff5a0.tar.xz wireguard-openbsd-f61b1efccea797fa6960a16e5c6490f40a6ff5a0.zip