Download raw body.
add pflog(4) on relayd redirect pf rules
This might be useful for debugging.
Applies log on either match/pass rules and can be changed via relayctl reload.
Attached to listen on directive.
G
Index: parse.y
===================================================================
RCS file: /cvs/src/usr.sbin/relayd/parse.y,v
retrieving revision 1.255
diff -u -p -u -p -r1.255 parse.y
--- parse.y 29 Oct 2023 11:27:11 -0000 1.255
+++ parse.y 22 May 2024 15:12:09 -0000
@@ -179,14 +179,14 @@ typedef struct {
%token TIMEOUT TLS TO ROUTER RTLABEL TRANSPARENT URL WITH TTL RTABLE
%token MATCH PARAMS RANDOM LEASTSTATES SRCHASH KEY CERTIFICATE PASSWORD ECDHE
%token EDH TICKETS CONNECTION CONNECTIONS CONTEXT ERRORS STATE CHANGES CHECKS
-%token WEBSOCKETS
+%token WEBSOCKETS PFLOG
%token <v.string> STRING
%token <v.number> NUMBER
%type <v.string> context hostname interface table value path
%type <v.number> http_type loglevel quick
%type <v.number> dstmode flag forwardmode retry
%type <v.number> opttls opttlsclient
-%type <v.number> redirect_proto relay_proto match
+%type <v.number> redirect_proto relay_proto match pflog
%type <v.number> action ruleaf key_option
%type <v.port> port
%type <v.host> host
@@ -605,7 +605,7 @@ rdroptsl : forwardmode TO tablespec inte
$3->conf.rdrid = rdr->conf.id;
$3->conf.flags |= F_USED;
}
- | LISTEN ON STRING redirect_proto port interface {
+ | LISTEN ON STRING redirect_proto port interface pflog {
if (host($3, &rdr->virts,
SRV_MAX_VIRTS, &$5, $6, $4) <= 0) {
yyerror("invalid virtual ip: %s", $3);
@@ -618,6 +618,8 @@ rdroptsl : forwardmode TO tablespec inte
if (rdr->conf.port == 0)
rdr->conf.port = $5.val[0];
tableport = rdr->conf.port;
+ if ($7)
+ rdr->conf.flags |= F_PFLOG;
}
| DISABLE { rdr->conf.flags |= F_DISABLE; }
| STICKYADDR { rdr->conf.flags |= F_STICKY; }
@@ -651,6 +653,10 @@ match : /* empty */ { $$ = 0; }
| MATCH { $$ = 1; }
;
+pflog : /* empty */ { $$ = 0; }
+ | PFLOG { $$ = 1; }
+ ;
+
forwardmode : FORWARD { $$ = FWD_NORMAL; }
| ROUTE { $$ = FWD_ROUTE; }
| TRANSPARENT FORWARD { $$ = FWD_TRANS; }
@@ -2454,6 +2460,7 @@ lookup(char *s)
{ "pass", PASS },
{ "password", PASSWORD },
{ "path", PATH },
+ { "pflog", PFLOG },
{ "pftag", PFTAG },
{ "port", PORT },
{ "prefork", PREFORK },
Index: pfe_filter.c
===================================================================
RCS file: /cvs/src/usr.sbin/relayd/pfe_filter.c,v
retrieving revision 1.65
diff -u -p -u -p -r1.65 pfe_filter.c
--- pfe_filter.c 14 Sep 2023 09:54:31 -0000 1.65
+++ pfe_filter.c 22 May 2024 15:12:09 -0000
@@ -377,6 +377,11 @@ sync_ruleset(struct relayd *env, struct
rio.rule.direction = PF_IN;
rio.rule.keep_state = PF_STATE_NORMAL;
+ if (rdr->conf.flags & F_PFLOG)
+ rio.rule.log = 1;
+ else
+ rio.rule.log = 0; /* allow change via reload */
+
switch (t->conf.fwdmode) {
case FWD_NORMAL:
/* traditional redirection */
Index: relayd.conf.5
===================================================================
RCS file: /cvs/src/usr.sbin/relayd/relayd.conf.5,v
retrieving revision 1.207
diff -u -p -u -p -r1.207 relayd.conf.5
--- relayd.conf.5 29 Oct 2023 11:27:11 -0000 1.207
+++ relayd.conf.5 22 May 2024 15:12:09 -0000
@@ -517,6 +517,7 @@ At least one entry for the main table is
.Op ip-proto
.Ic port Ar port
.Op Ic interface Ar name
+.Op Ic pflog
.Xc
Specify an
.Ar address
@@ -540,6 +541,12 @@ or
it defaults to
.Cm tcp .
The rule can be optionally restricted to a given interface name.
+The optional
+.Ic pflog
+keyword will add
+.Cm log
+to the rule. The logged packets are sent to
+.Xr pflog 4 .
.It Xo
.Op Ic match
.Ic pftag Ar name
Index: relayd.h
===================================================================
RCS file: /cvs/src/usr.sbin/relayd/relayd.h,v
retrieving revision 1.272
diff -u -p -u -p -r1.272 relayd.h
--- relayd.h 18 May 2024 06:34:46 -0000 1.272
+++ relayd.h 22 May 2024 15:12:09 -0000
@@ -402,6 +402,7 @@ union hashkey {
#define F_TLSINSPECT 0x04000000
#define F_HASHKEY 0x08000000
#define F_AGENTX_TRAPONLY 0x10000000
+#define F_PFLOG 0x20000000
#define F_BITS \
"\10\01DISABLE\02BACKUP\03USED\04DOWN\05ADD\06DEL\07CHANGED" \
add pflog(4) on relayd redirect pf rules