From 7c726e761b00f31b5ae94bae8bc5eee71c7cebd0 Mon Sep 17 00:00:00 2001 From: sashan Date: Mon, 17 Jun 2024 08:02:57 +0000 Subject: [PATCH] Change adds a 'log' option to relayd.conf(5) rule. The relayd(8) then uses the option to set corresponding `log` action in pf(4) rules it generates to handle network traffic. The patch comes from Giannis Kapetanakis (bilias _from_ edu.physics.uoc.gr). OK sashan@ --- usr.sbin/relayd/parse.y | 15 +++++++++++---- usr.sbin/relayd/pfe_filter.c | 7 ++++++- usr.sbin/relayd/relayd.conf.5 | 11 +++++++++-- usr.sbin/relayd/relayd.h | 3 ++- 4 files changed, 28 insertions(+), 8 deletions(-) diff --git a/usr.sbin/relayd/parse.y b/usr.sbin/relayd/parse.y index a6842f97046..739ff164e2e 100644 --- a/usr.sbin/relayd/parse.y +++ b/usr.sbin/relayd/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.255 2023/10/29 11:27:11 kn Exp $ */ +/* $OpenBSD: parse.y,v 1.256 2024/06/17 08:02:57 sashan Exp $ */ /* * Copyright (c) 2007 - 2014 Reyk Floeter @@ -179,14 +179,14 @@ typedef struct { %token TIMEOUT TLS TO ROUTER RTLABEL TRANSPARENT URL WITH TTL RTABLE %token MATCH PARAMS RANDOM LEASTSTATES SRCHASH KEY CERTIFICATE PASSWORD ECDHE %token EDH TICKETS CONNECTION CONNECTIONS CONTEXT ERRORS STATE CHANGES CHECKS -%token WEBSOCKETS +%token WEBSOCKETS PFLOG %token STRING %token NUMBER %type context hostname interface table value path %type http_type loglevel quick %type dstmode flag forwardmode retry %type opttls opttlsclient -%type redirect_proto relay_proto match +%type redirect_proto relay_proto match pflog %type action ruleaf key_option %type port %type host @@ -605,7 +605,7 @@ rdroptsl : forwardmode TO tablespec interface { $3->conf.rdrid = rdr->conf.id; $3->conf.flags |= F_USED; } - | LISTEN ON STRING redirect_proto port interface { + | LISTEN ON STRING redirect_proto port interface pflog { if (host($3, &rdr->virts, SRV_MAX_VIRTS, &$5, $6, $4) <= 0) { yyerror("invalid virtual ip: %s", $3); @@ -618,6 +618,8 @@ rdroptsl : forwardmode TO tablespec interface { if (rdr->conf.port == 0) rdr->conf.port = $5.val[0]; tableport = rdr->conf.port; + if ($7) + rdr->conf.flags |= F_PFLOG; } | DISABLE { rdr->conf.flags |= F_DISABLE; } | STICKYADDR { rdr->conf.flags |= F_STICKY; } @@ -651,6 +653,10 @@ match : /* empty */ { $$ = 0; } | MATCH { $$ = 1; } ; +pflog : /* empty */ { $$ = 0; } + | PFLOG { $$ = 1; } + ; + forwardmode : FORWARD { $$ = FWD_NORMAL; } | ROUTE { $$ = FWD_ROUTE; } | TRANSPARENT FORWARD { $$ = FWD_TRANS; } @@ -2454,6 +2460,7 @@ lookup(char *s) { "pass", PASS }, { "password", PASSWORD }, { "path", PATH }, + { "pflog", PFLOG }, { "pftag", PFTAG }, { "port", PORT }, { "prefork", PREFORK }, diff --git a/usr.sbin/relayd/pfe_filter.c b/usr.sbin/relayd/pfe_filter.c index 97aea01df12..c1851260c62 100644 --- a/usr.sbin/relayd/pfe_filter.c +++ b/usr.sbin/relayd/pfe_filter.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfe_filter.c,v 1.65 2023/09/14 09:54:31 yasuoka Exp $ */ +/* $OpenBSD: pfe_filter.c,v 1.66 2024/06/17 08:02:57 sashan Exp $ */ /* * Copyright (c) 2006 Pierre-Yves Ritschard @@ -377,6 +377,11 @@ sync_ruleset(struct relayd *env, struct rdr *rdr, int enable) rio.rule.direction = PF_IN; rio.rule.keep_state = PF_STATE_NORMAL; + if (rdr->conf.flags & F_PFLOG) + rio.rule.log = 1; + else + rio.rule.log = 0; /* allow change via reload */ + switch (t->conf.fwdmode) { case FWD_NORMAL: /* traditional redirection */ diff --git a/usr.sbin/relayd/relayd.conf.5 b/usr.sbin/relayd/relayd.conf.5 index 21f3101386a..b4fa8398b84 100644 --- a/usr.sbin/relayd/relayd.conf.5 +++ b/usr.sbin/relayd/relayd.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: relayd.conf.5,v 1.207 2023/10/29 11:27:11 kn Exp $ +.\" $OpenBSD: relayd.conf.5,v 1.208 2024/06/17 08:02:57 sashan Exp $ .\" .\" Copyright (c) 2006 - 2016 Reyk Floeter .\" Copyright (c) 2006, 2007 Pierre-Yves Ritschard @@ -15,7 +15,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: October 29 2023 $ +.Dd $Mdocdate: June 17 2024 $ .Dt RELAYD.CONF 5 .Os .Sh NAME @@ -517,6 +517,7 @@ At least one entry for the main table is mandatory. .Op ip-proto .Ic port Ar port .Op Ic interface Ar name +.Op Ic pflog .Xc Specify an .Ar address @@ -540,6 +541,12 @@ or it defaults to .Cm tcp . The rule can be optionally restricted to a given interface name. +The optional +.Ic pflog +keyword will add +.Cm log +to the rule. The logged packets are sent to +.Xr pflog 4 . .It Xo .Op Ic match .Ic pftag Ar name diff --git a/usr.sbin/relayd/relayd.h b/usr.sbin/relayd/relayd.h index b5ac2d111f6..2f55c2bb23b 100644 --- a/usr.sbin/relayd/relayd.h +++ b/usr.sbin/relayd/relayd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: relayd.h,v 1.272 2024/05/18 06:34:46 jsg Exp $ */ +/* $OpenBSD: relayd.h,v 1.273 2024/06/17 08:02:57 sashan Exp $ */ /* * Copyright (c) 2006 - 2016 Reyk Floeter @@ -402,6 +402,7 @@ union hashkey { #define F_TLSINSPECT 0x04000000 #define F_HASHKEY 0x08000000 #define F_AGENTX_TRAPONLY 0x10000000 +#define F_PFLOG 0x20000000 #define F_BITS \ "\10\01DISABLE\02BACKUP\03USED\04DOWN\05ADD\06DEL\07CHANGED" \ -- 2.20.1