diff options
| author |   bluhm <bluhm@openbsd.org> | 2021-01-12 00:10:34 +0000 |
|---|---|---|
| committer | bluhm <bluhm@openbsd.org> | 2021-01-12 00:10:34 +0000 |
| commit | f6d3bf21b274662ea88e4e2d963249cb83c2035e (patch) | |
| tree | 14a71cc407a0e70c76b0b58797cc90fdab313624 | |
| parent | Regress and Makefile cleanup. (diff) | |
| download | wireguard-openbsd-f6d3bf21b274662ea88e4e2d963249cb83c2035e.tar.xz wireguard-openbsd-f6d3bf21b274662ea88e4e2d963249cb83c2035e.zip | |
Sometimes a user ID was logged in pflog(4) although the logopt of
the rule did not specify it. Check the option again for the log
rule in case another rule has triggered a socket lookup. Remove
logopt group, it is not documented and cannot work as struct pfloghdr
does not contain a gid. Rename PF_LOG_SOCKET_LOOKUP to PF_LOG_USER
to express what it does. The lookup involved is only an implemntation
detail.
OK kn@ sashan@ mvs@
| -rw-r--r-- | sbin/pfctl/parse.y | 5 | ||||
| -rw-r--r-- | sbin/pfctl/pfctl_parser.c | 4 | ||||
| -rw-r--r-- | sys/net/if_pflog.c | 6 | ||||
| -rw-r--r-- | sys/net/pfvar.h | 4 |
4 files changed, 9 insertions, 10 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index 2b3e62b1a7e..91cc7aa0a5c 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.707 2020/12/16 18:01:16 kn Exp $ */ +/* $OpenBSD: parse.y,v 1.708 2021/01/12 00:10:34 bluhm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -2409,8 +2409,7 @@ logopts : logopt { $$ = $1; } logopt : ALL { $$.log = PF_LOG_ALL; $$.logif = 0; } | MATCHES { $$.log = PF_LOG_MATCHES; $$.logif = 0; } - | USER { $$.log = PF_LOG_SOCKET_LOOKUP; $$.logif = 0; } - | GROUP { $$.log = PF_LOG_SOCKET_LOOKUP; $$.logif = 0; } + | USER { $$.log = PF_LOG_USER; $$.logif = 0; } | TO string { const char *errstr; u_int i; diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c index 03317844e91..4636c143222 100644 --- a/sbin/pfctl/pfctl_parser.c +++ b/sbin/pfctl/pfctl_parser.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl_parser.c,v 1.344 2020/12/29 19:50:28 benno Exp $ */ +/* $OpenBSD: pfctl_parser.c,v 1.345 2021/01/12 00:10:34 bluhm Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -795,7 +795,7 @@ print_rule(struct pf_rule *r, const char *anchor_call, int opts) printf("%sall", count++ ? ", " : ""); if (r->log & PF_LOG_MATCHES) printf("%smatches", count++ ? ", " : ""); - if (r->log & PF_LOG_SOCKET_LOOKUP) + if (r->log & PF_LOG_USER) printf("%suser", count++ ? ", " : ""); if (r->logif) printf("%sto pflog%u", count++ ? ", " : "", diff --git a/sys/net/if_pflog.c b/sys/net/if_pflog.c index be6471e1dca..326c3b6d823 100644 --- a/sys/net/if_pflog.c +++ b/sys/net/if_pflog.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_pflog.c,v 1.92 2021/01/11 21:50:56 kn Exp $ */ +/* $OpenBSD: if_pflog.c,v 1.93 2021/01/12 00:10:34 bluhm Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr) and @@ -242,9 +242,9 @@ pflog_packet(struct pf_pdesc *pd, u_int8_t reason, struct pf_rule *rm, strlcpy(hdr.ruleset, ruleset->anchor->name, sizeof(hdr.ruleset)); } - if (trigger->log & PF_LOG_SOCKET_LOOKUP && !pd->lookup.done) + if (trigger->log & PF_LOG_USER && !pd->lookup.done) pd->lookup.done = pf_socket_lookup(pd); - if (pd->lookup.done > 0) { + if (trigger->log & PF_LOG_USER && pd->lookup.done > 0) { hdr.uid = pd->lookup.uid; hdr.pid = pd->lookup.pid; } else { diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index 42fe9376eee..ef80398538b 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfvar.h,v 1.497 2020/10/14 19:22:14 naddy Exp $ */ +/* $OpenBSD: pfvar.h,v 1.498 2021/01/12 00:10:34 bluhm Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -156,7 +156,7 @@ enum { PF_ADDR_ADDRMASK, PF_ADDR_NOROUTE, PF_ADDR_DYNIFTL, #define PF_LOG 0x01 #define PF_LOG_ALL 0x02 -#define PF_LOG_SOCKET_LOOKUP 0x04 +#define PF_LOG_USER 0x04 #define PF_LOG_FORCE 0x08 #define PF_LOG_MATCHES 0x10 |