pf: Force logging if pf_create_state() fails

Currently packets are logged before pf_create_state() is called, so we
might log a packet as passed that is subsequently dropped due to state
creation failure.  In particular, the drop is not logged, which is
wrong.

Improve the situation a bit: force logging if state creation fails.
This isn't totally right as we'll end up logging the packet twice in
this case, but it's better than not logging the drop at all.

Add a regression test.

Discussed with:	kp, ks
Co-authored-by:	Franco Fichtner <franco@opnsense.org>
MFC after:	2 weeks
Sponsored by:	Klara, Inc.
Sponsored by:	OPNsense
Differential Revision:	https://reviews.freebsd.org/D47953

(cherry picked from commit 886396f1b1a727c642071965612e2c2c9dd11d6c)

1 files changed, 1 insertions, 0 deletions

diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 81e942085ad2..064277082475 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -5055,6 +5055,7 @@ pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, struct pfi_kkif *kif,
 		    sport, dport, &rewrite, kif, sm, tag, bproto_sum, bip_sum,
 		    hdrlen, &match_rules);
 		if (action != PF_PASS) {
+			pd->act.log |= PF_LOG_FORCE;
 			if (action == PF_DROP &&
 			    (r->rule_flag & PFRULE_RETURN))
 				pf_return(r, nr, pd, sk, off, m, th, kif,