From: Kapetanakis Giannis Subject: add pflog(4) on relayd redirect pf rules To: tech Date: Wed, 22 May 2024 18:21:03 +0300 This might be useful for debugging. Applies log on either match/pass rules and can be changed via relayctl reload. Attached to listen on directive. G Index: parse.y =================================================================== RCS file: /cvs/src/usr.sbin/relayd/parse.y,v retrieving revision 1.255 diff -u -p -u -p -r1.255 parse.y --- parse.y 29 Oct 2023 11:27:11 -0000 1.255 +++ parse.y 22 May 2024 15:12:09 -0000 @@ -179,14 +179,14 @@ typedef struct { %token TIMEOUT TLS TO ROUTER RTLABEL TRANSPARENT URL WITH TTL RTABLE %token MATCH PARAMS RANDOM LEASTSTATES SRCHASH KEY CERTIFICATE PASSWORD ECDHE %token EDH TICKETS CONNECTION CONNECTIONS CONTEXT ERRORS STATE CHANGES CHECKS -%token WEBSOCKETS +%token WEBSOCKETS PFLOG %token STRING %token NUMBER %type context hostname interface table value path %type http_type loglevel quick %type dstmode flag forwardmode retry %type opttls opttlsclient -%type redirect_proto relay_proto match +%type redirect_proto relay_proto match pflog %type action ruleaf key_option %type port %type host @@ -605,7 +605,7 @@ rdroptsl : forwardmode TO tablespec inte $3->conf.rdrid = rdr->conf.id; $3->conf.flags |= F_USED; } - | LISTEN ON STRING redirect_proto port interface { + | LISTEN ON STRING redirect_proto port interface pflog { if (host($3, &rdr->virts, SRV_MAX_VIRTS, &$5, $6, $4) <= 0) { yyerror("invalid virtual ip: %s", $3); @@ -618,6 +618,8 @@ rdroptsl : forwardmode TO tablespec inte if (rdr->conf.port == 0) rdr->conf.port = $5.val[0]; tableport = rdr->conf.port; + if ($7) + rdr->conf.flags |= F_PFLOG; } | DISABLE { rdr->conf.flags |= F_DISABLE; } | STICKYADDR { rdr->conf.flags |= F_STICKY; } @@ -651,6 +653,10 @@ match : /* empty */ { $$ = 0; } | MATCH { $$ = 1; } ; +pflog : /* empty */ { $$ = 0; } + | PFLOG { $$ = 1; } + ; + forwardmode : FORWARD { $$ = FWD_NORMAL; } | ROUTE { $$ = FWD_ROUTE; } | TRANSPARENT FORWARD { $$ = FWD_TRANS; } @@ -2454,6 +2460,7 @@ lookup(char *s) { "pass", PASS }, { "password", PASSWORD }, { "path", PATH }, + { "pflog", PFLOG }, { "pftag", PFTAG }, { "port", PORT }, { "prefork", PREFORK }, Index: pfe_filter.c =================================================================== RCS file: /cvs/src/usr.sbin/relayd/pfe_filter.c,v retrieving revision 1.65 diff -u -p -u -p -r1.65 pfe_filter.c --- pfe_filter.c 14 Sep 2023 09:54:31 -0000 1.65 +++ pfe_filter.c 22 May 2024 15:12:09 -0000 @@ -377,6 +377,11 @@ sync_ruleset(struct relayd *env, struct rio.rule.direction = PF_IN; rio.rule.keep_state = PF_STATE_NORMAL; + if (rdr->conf.flags & F_PFLOG) + rio.rule.log = 1; + else + rio.rule.log = 0; /* allow change via reload */ + switch (t->conf.fwdmode) { case FWD_NORMAL: /* traditional redirection */ Index: relayd.conf.5 =================================================================== RCS file: /cvs/src/usr.sbin/relayd/relayd.conf.5,v retrieving revision 1.207 diff -u -p -u -p -r1.207 relayd.conf.5 --- relayd.conf.5 29 Oct 2023 11:27:11 -0000 1.207 +++ relayd.conf.5 22 May 2024 15:12:09 -0000 @@ -517,6 +517,7 @@ At least one entry for the main table is .Op ip-proto .Ic port Ar port .Op Ic interface Ar name +.Op Ic pflog .Xc Specify an .Ar address @@ -540,6 +541,12 @@ or it defaults to .Cm tcp . The rule can be optionally restricted to a given interface name. +The optional +.Ic pflog +keyword will add +.Cm log +to the rule. The logged packets are sent to +.Xr pflog 4 . .It Xo .Op Ic match .Ic pftag Ar name Index: relayd.h =================================================================== RCS file: /cvs/src/usr.sbin/relayd/relayd.h,v retrieving revision 1.272 diff -u -p -u -p -r1.272 relayd.h --- relayd.h 18 May 2024 06:34:46 -0000 1.272 +++ relayd.h 22 May 2024 15:12:09 -0000 @@ -402,6 +402,7 @@ union hashkey { #define F_TLSINSPECT 0x04000000 #define F_HASHKEY 0x08000000 #define F_AGENTX_TRAPONLY 0x10000000 +#define F_PFLOG 0x20000000 #define F_BITS \ "\10\01DISABLE\02BACKUP\03USED\04DOWN\05ADD\06DEL\07CHANGED" \