diff options
| author | Kristof Provost <kp@FreeBSD.org> | 2021-10-29 15:40:53 +0000 |
|---|---|---|
| committer | Kristof Provost <kp@FreeBSD.org> | 2021-11-05 08:39:56 +0000 |
| commit | 76c5eecc3490d89a9a3492ed2354802b69d69602 (patch) | |
| tree | a06cb4aeb8a99d9b5f358345399b2cebd412419f /share | |
| parent | 80e5955b085af20e65ef84066a164936413748e3 (diff) | |
| download | src-76c5eecc3490d89a9a3492ed2354802b69d69602.tar.gz src-76c5eecc3490d89a9a3492ed2354802b69d69602.zip | |
pf: Introduce ridentifier
Allow users to set a number on rules which will be exposed as part of
the pflog header.
The intent behind this is to allow users to correlate rules across
updates (remember that pf rules continue to exist and match existing
states, even if they're removed from the active ruleset) and pflog.
Obtained from: pfSense
MFC after: 3 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D32750
Diffstat (limited to 'share')
| -rw-r--r-- | share/man/man4/pflog.4 | 3 | ||||
| -rw-r--r-- | share/man/man5/pf.conf.5 | 7 |
2 files changed, 8 insertions, 2 deletions
diff --git a/share/man/man4/pflog.4 b/share/man/man4/pflog.4 index 300092a9532b..19eb7012bca3 100644 --- a/share/man/man4/pflog.4 +++ b/share/man/man4/pflog.4 @@ -25,7 +25,7 @@ .\" .\" $FreeBSD$ .\" -.Dd April 18, 2019 +.Dd October 29, 2021 .Dt PFLOG 4 .Os .Sh NAME @@ -84,6 +84,7 @@ struct pfloghdr { pid_t rule_pid; u_int8_t dir; u_int8_t pad[3]; + u_int32_t ridentifier; }; .Ed .Sh EXAMPLES diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5 index 9f69db70d90b..63b8acaef358 100644 --- a/share/man/man5/pf.conf.5 +++ b/share/man/man5/pf.conf.5 @@ -1896,6 +1896,9 @@ pass in inet proto tcp from any to 1.2.3.5 \e The macro expansion for the .Ar label directive occurs only at configuration file parse time, not during runtime. +.It Ar ridentifier Aq Ar number +Add an identifier (number) to the rule, which can be used to correlate the rule +to pflog entries, even after ruleset updates. .It Xo Ar queue Aq Ar queue .No \*(Ba ( Aq Ar queue , .Aq Ar queue ) @@ -3000,7 +3003,8 @@ filteropt = user | group | flags | icmp-type | icmp6-type | "tos" tos | "queue" ( string | "(" string [ [ "," ] string ] ")" ) | "rtable" number | "probability" number"%" | "prio" number | "dnpipe" ( number | "(" number "," number ")" ) | - "dnqueue" ( number | "(" number "," number ")" ) + "dnqueue" ( number | "(" number "," number ")" ) | + "ridentifier" number nat-rule = [ "no" ] "nat" [ "pass" [ "log" [ "(" logopts ")" ] ] ] [ "on" ifspec ] [ af ] @@ -3024,6 +3028,7 @@ rdr-rule = [ "no" ] "rdr" [ "pass" [ "log" [ "(" logopts ")" ] ] ] antispoof-rule = "antispoof" [ "log" ] [ "quick" ] "for" ifspec [ af ] [ "label" string ] + [ "ridentifier" number ] table-rule = "table" "\*(Lt" string "\*(Gt" [ tableopts-list ] tableopts-list = tableopts-list tableopts | tableopts |