summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--usr.sbin/relayd/parse.y15
-rw-r--r--usr.sbin/relayd/pfe_filter.c7
-rw-r--r--usr.sbin/relayd/relayd.conf.511
-rw-r--r--usr.sbin/relayd/relayd.h3
4 files changed, 28 insertions, 8 deletions
diff --git a/usr.sbin/relayd/parse.y b/usr.sbin/relayd/parse.y
index a6842f97046..739ff164e2e 100644
--- a/usr.sbin/relayd/parse.y
+++ b/usr.sbin/relayd/parse.y
@@ -1,4 +1,4 @@
-/* $OpenBSD: parse.y,v 1.255 2023/10/29 11:27:11 kn Exp $ */
+/* $OpenBSD: parse.y,v 1.256 2024/06/17 08:02:57 sashan Exp $ */
/*
* Copyright (c) 2007 - 2014 Reyk Floeter <reyk@openbsd.org>
@@ -179,14 +179,14 @@ typedef struct {
%token TIMEOUT TLS TO ROUTER RTLABEL TRANSPARENT URL WITH TTL RTABLE
%token MATCH PARAMS RANDOM LEASTSTATES SRCHASH KEY CERTIFICATE PASSWORD ECDHE
%token EDH TICKETS CONNECTION CONNECTIONS CONTEXT ERRORS STATE CHANGES CHECKS
-%token WEBSOCKETS
+%token WEBSOCKETS PFLOG
%token <v.string> STRING
%token <v.number> NUMBER
%type <v.string> context hostname interface table value path
%type <v.number> http_type loglevel quick
%type <v.number> dstmode flag forwardmode retry
%type <v.number> opttls opttlsclient
-%type <v.number> redirect_proto relay_proto match
+%type <v.number> redirect_proto relay_proto match pflog
%type <v.number> action ruleaf key_option
%type <v.port> port
%type <v.host> host
@@ -605,7 +605,7 @@ rdroptsl : forwardmode TO tablespec interface {
$3->conf.rdrid = rdr->conf.id;
$3->conf.flags |= F_USED;
}
- | LISTEN ON STRING redirect_proto port interface {
+ | LISTEN ON STRING redirect_proto port interface pflog {
if (host($3, &rdr->virts,
SRV_MAX_VIRTS, &$5, $6, $4) <= 0) {
yyerror("invalid virtual ip: %s", $3);
@@ -618,6 +618,8 @@ rdroptsl : forwardmode TO tablespec interface {
if (rdr->conf.port == 0)
rdr->conf.port = $5.val[0];
tableport = rdr->conf.port;
+ if ($7)
+ rdr->conf.flags |= F_PFLOG;
}
| DISABLE { rdr->conf.flags |= F_DISABLE; }
| STICKYADDR { rdr->conf.flags |= F_STICKY; }
@@ -651,6 +653,10 @@ match : /* empty */ { $$ = 0; }
| MATCH { $$ = 1; }
;
+pflog : /* empty */ { $$ = 0; }
+ | PFLOG { $$ = 1; }
+ ;
+
forwardmode : FORWARD { $$ = FWD_NORMAL; }
| ROUTE { $$ = FWD_ROUTE; }
| TRANSPARENT FORWARD { $$ = FWD_TRANS; }
@@ -2454,6 +2460,7 @@ lookup(char *s)
{ "pass", PASS },
{ "password", PASSWORD },
{ "path", PATH },
+ { "pflog", PFLOG },
{ "pftag", PFTAG },
{ "port", PORT },
{ "prefork", PREFORK },
diff --git a/usr.sbin/relayd/pfe_filter.c b/usr.sbin/relayd/pfe_filter.c
index 97aea01df12..c1851260c62 100644
--- a/usr.sbin/relayd/pfe_filter.c
+++ b/usr.sbin/relayd/pfe_filter.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfe_filter.c,v 1.65 2023/09/14 09:54:31 yasuoka Exp $ */
+/* $OpenBSD: pfe_filter.c,v 1.66 2024/06/17 08:02:57 sashan Exp $ */
/*
* Copyright (c) 2006 Pierre-Yves Ritschard <pyr@openbsd.org>
@@ -377,6 +377,11 @@ sync_ruleset(struct relayd *env, struct rdr *rdr, int enable)
rio.rule.direction = PF_IN;
rio.rule.keep_state = PF_STATE_NORMAL;
+ if (rdr->conf.flags & F_PFLOG)
+ rio.rule.log = 1;
+ else
+ rio.rule.log = 0; /* allow change via reload */
+
switch (t->conf.fwdmode) {
case FWD_NORMAL:
/* traditional redirection */
diff --git a/usr.sbin/relayd/relayd.conf.5 b/usr.sbin/relayd/relayd.conf.5
index 21f3101386a..b4fa8398b84 100644
--- a/usr.sbin/relayd/relayd.conf.5
+++ b/usr.sbin/relayd/relayd.conf.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: relayd.conf.5,v 1.207 2023/10/29 11:27:11 kn Exp $
+.\" $OpenBSD: relayd.conf.5,v 1.208 2024/06/17 08:02:57 sashan Exp $
.\"
.\" Copyright (c) 2006 - 2016 Reyk Floeter <reyk@openbsd.org>
.\" Copyright (c) 2006, 2007 Pierre-Yves Ritschard <pyr@openbsd.org>
@@ -15,7 +15,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
-.Dd $Mdocdate: October 29 2023 $
+.Dd $Mdocdate: June 17 2024 $
.Dt RELAYD.CONF 5
.Os
.Sh NAME
@@ -517,6 +517,7 @@ At least one entry for the main table is mandatory.
.Op ip-proto
.Ic port Ar port
.Op Ic interface Ar name
+.Op Ic pflog
.Xc
Specify an
.Ar address
@@ -540,6 +541,12 @@ or
it defaults to
.Cm tcp .
The rule can be optionally restricted to a given interface name.
+The optional
+.Ic pflog
+keyword will add
+.Cm log
+to the rule. The logged packets are sent to
+.Xr pflog 4 .
.It Xo
.Op Ic match
.Ic pftag Ar name
diff --git a/usr.sbin/relayd/relayd.h b/usr.sbin/relayd/relayd.h
index b5ac2d111f6..2f55c2bb23b 100644
--- a/usr.sbin/relayd/relayd.h
+++ b/usr.sbin/relayd/relayd.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: relayd.h,v 1.272 2024/05/18 06:34:46 jsg Exp $ */
+/* $OpenBSD: relayd.h,v 1.273 2024/06/17 08:02:57 sashan Exp $ */
/*
* Copyright (c) 2006 - 2016 Reyk Floeter <reyk@openbsd.org>
@@ -402,6 +402,7 @@ union hashkey {
#define F_TLSINSPECT 0x04000000
#define F_HASHKEY 0x08000000
#define F_AGENTX_TRAPONLY 0x10000000
+#define F_PFLOG 0x20000000
#define F_BITS \
"\10\01DISABLE\02BACKUP\03USED\04DOWN\05ADD\06DEL\07CHANGED" \