Page MenuHomeFreeBSD
Differential D48911

pf: Log the intended action when a NAT rule matches a packet
ClosedPublic
Actions

Authored by markj on Feb 10 2025, 3:53 PM.
Tags
None
Referenced Files
Unknown Object (File)
Mon, May 25, 3:45 AM
Unknown Object (File)
Mon, May 25, 3:45 AM
Unknown Object (File)
Mon, May 25, 3:45 AM
Unknown Object (File)
May 18 2026, 4:34 AM
Unknown Object (File)
May 17 2026, 6:16 PM
Unknown Object (File)
May 11 2026, 11:52 PM
Unknown Object (File)
May 11 2026, 11:51 PM
Unknown Object (File)
May 11 2026, 11:37 PM
View All 77 Files
Subscribers
farrokhi
glebius
imp
melifaro
vegeta_tuxpowered.net

Details

Reviewers
kp
Commits
rG685fb4253819: pf: Log the intended action when a NAT rule matches a packet
Summary

When a packet matches a binat/nat/rdr rule, pf logs the match. The log
metadata includes the rule's action on the packet, e.g., PF_PASS. NAT
rules have their own actions: PF_BINAT, PF_NAT, PF_RDR.

Before commit 948e8413aba0 ("pflog: pass the action to pflog directly"),
pflog_packet() would obtain the action from the rule definition, whereas
after that commit the action is passed as a parameter. When a NAT rule
matches, we want to log the rule action, but after that commit, PF_PASS
is hard-coded. Restore the previous behaviour.

Add a regression test which installs a redirect, logs packets matching
the redirect rule, and verifies that the corresponding pflog entry
includes the correct action.

Fixes: 948e8413aba0 ("pflog: pass the action to pflog directly")

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 62332
Build 59216: arc lint + arc unit

Revision Contents
Changeset List

PathSize
sys/
netpfil/
pf/
2 lines
tests/
sys/
netpfil/
pf/
59 lines

Diff 150779

View Options

sys/netpfil/pf/pf.c

Loading...
View Options

tests/sys/netpfil/pf/pflog.sh

Loading...