HomeFreeBSD
Diffusion FreeBSD src repository 685fb4253819

pf: Log the intended action when a NAT rule matches a packet
685fb4253819
Actions

Description

pf: Log the intended action when a NAT rule matches a packet

When a packet matches a binat/nat/rdr rule, pf logs the match. The log
metadata includes the rule's action on the packet, e.g., PF_PASS. NAT
rules have their own actions: PF_BINAT, PF_NAT, PF_RDR.

Before commit 948e8413aba0 ("pflog: pass the action to pflog directly"),
pflog_packet() would obtain the action from the rule definition, whereas
after that commit the action is passed as a parameter. When a NAT rule
matches, we want to log the rule action, but after that commit, PF_PASS
is hard-coded. Restore the previous behaviour.

Add a regression test which installs a redirect, logs packets matching
the redirect rule, and verifies that the corresponding pflog entry
includes the correct action.

Reviewed by: kp
Fixes: 948e8413aba0 ("pflog: pass the action to pflog directly")
MFC after: 2 weeks
Sponsored by: Klara, Inc.
Sponsored by: OPNsense
Differential Revision: https://reviews.freebsd.org/D48911

Details

Provenance
franco_opnsense.orgAuthored on Fri, Feb 14, 3:14 PM
markjCommitted on Fri, Feb 14, 3:24 PM
Reviewer
rG948e8413aba0: pflog: pass the action to pflog directly
Differential Revision
D48911: pf: Log the intended action when a NAT rule matches a packet
Parents
rGb96864412700: mtw: Use correct cmd for radio
Branches
Unknown
Tags
Unknown

Changes (2)

PathSize
sys/
netpfil/
pf/
tests/
sys/
netpfil/
pf/

rG685fb4253819

View Options

sys/netpfil/pf/pf.c

Loading...
View Options

tests/sys/netpfil/pf/pflog.sh

Loading...