diff options
| author | Henning Brauer <henning@cvs.openbsd.org> | 2015-02-12 01:24:11 +0000 |
|---|---|---|
| committer | Henning Brauer <henning@cvs.openbsd.org> | 2015-02-12 01:24:11 +0000 |
| commit | e2dc6cb57d92fc7d6220cff76a1f0426424ec700 (patch) | |
| tree | 74869a38848c49c38938f865e65dfe5d99bf55e5 /sys/net/if_pflog.c | |
| parent | 194bb52824f821d117eb28679efab10a2d6ef648 (diff) | |
change log(matches) semantics slightly to make it more useful. since it
is a debug tool change of semantics not considered problematic.
up until now, log(matches) forced logging on subsequent matching rules,
the actual logging used the log settings from that matched rule.
now, log(matches) causes subsequent matches to be logged with the log settings
from the log(matches) rule. in particular (this was the driving point),
log(matches, to pflog23) allows you to have the trace log going to a seperate
pflog interface, not clobbering your regular pflogs, actually not affecting
them at all.
long conversation with bluhm about it, which didn't lead to a single bit
changed in the diff but was very very helpful. ok bluhm as well.
Diffstat (limited to 'sys/net/if_pflog.c')
| -rw-r--r-- | sys/net/if_pflog.c | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/sys/net/if_pflog.c b/sys/net/if_pflog.c index dd23c716e52..82d9f990887 100644 --- a/sys/net/if_pflog.c +++ b/sys/net/if_pflog.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_pflog.c,v 1.67 2014/12/19 17:14:39 tedu Exp $ */ +/* $OpenBSD: if_pflog.c,v 1.68 2015/02/12 01:24:10 henning Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr) and @@ -241,7 +241,7 @@ pflogioctl(struct ifnet *ifp, u_long cmd, caddr_t data) int pflog_packet(struct pf_pdesc *pd, u_int8_t reason, struct pf_rule *rm, - struct pf_rule *am, struct pf_ruleset *ruleset) + struct pf_rule *am, struct pf_ruleset *ruleset, struct pf_rule *trigger) { #if NBPFILTER > 0 struct ifnet *ifn; @@ -249,9 +249,11 @@ pflog_packet(struct pf_pdesc *pd, u_int8_t reason, struct pf_rule *rm, if (rm == NULL || pd == NULL || pd->kif == NULL || pd->m == NULL) return (-1); + if (trigger == NULL) + trigger = rm; - if (rm->logif >= npflogifs || (ifn = pflogifs[rm->logif]) == NULL || - !ifn->if_bpf) + if (trigger->logif >= npflogifs || (ifn = pflogifs[trigger->logif]) == + NULL || !ifn->if_bpf) return (0); bzero(&hdr, sizeof(hdr)); @@ -270,7 +272,7 @@ pflog_packet(struct pf_pdesc *pd, u_int8_t reason, struct pf_rule *rm, strlcpy(hdr.ruleset, ruleset->anchor->name, sizeof(hdr.ruleset)); } - if (rm->log & PF_LOG_SOCKET_LOOKUP && !pd->lookup.done) + if (trigger->log & PF_LOG_SOCKET_LOOKUP && !pd->lookup.done) pd->lookup.done = pf_socket_lookup(pd); if (pd->lookup.done > 0) { hdr.uid = pd->lookup.uid; |