mirror of
https://github.com/openbsd/src.git
synced 2024-12-22 16:42:56 -08:00
Change adds a 'log' option to relayd.conf(5) rule. The relayd(8) then uses
the option to set corresponding `log` action in pf(4) rules it generates to handle network traffic. The patch comes from Giannis Kapetanakis (bilias _from_ edu.physics.uoc.gr). OK sashan@
This commit is contained in:
parent
32069374fc
commit
7c726e761b
@ -1,4 +1,4 @@
|
|||||||
/* $OpenBSD: parse.y,v 1.255 2023/10/29 11:27:11 kn Exp $ */
|
/* $OpenBSD: parse.y,v 1.256 2024/06/17 08:02:57 sashan Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 2007 - 2014 Reyk Floeter <reyk@openbsd.org>
|
* Copyright (c) 2007 - 2014 Reyk Floeter <reyk@openbsd.org>
|
||||||
@ -179,14 +179,14 @@ typedef struct {
|
|||||||
%token TIMEOUT TLS TO ROUTER RTLABEL TRANSPARENT URL WITH TTL RTABLE
|
%token TIMEOUT TLS TO ROUTER RTLABEL TRANSPARENT URL WITH TTL RTABLE
|
||||||
%token MATCH PARAMS RANDOM LEASTSTATES SRCHASH KEY CERTIFICATE PASSWORD ECDHE
|
%token MATCH PARAMS RANDOM LEASTSTATES SRCHASH KEY CERTIFICATE PASSWORD ECDHE
|
||||||
%token EDH TICKETS CONNECTION CONNECTIONS CONTEXT ERRORS STATE CHANGES CHECKS
|
%token EDH TICKETS CONNECTION CONNECTIONS CONTEXT ERRORS STATE CHANGES CHECKS
|
||||||
%token WEBSOCKETS
|
%token WEBSOCKETS PFLOG
|
||||||
%token <v.string> STRING
|
%token <v.string> STRING
|
||||||
%token <v.number> NUMBER
|
%token <v.number> NUMBER
|
||||||
%type <v.string> context hostname interface table value path
|
%type <v.string> context hostname interface table value path
|
||||||
%type <v.number> http_type loglevel quick
|
%type <v.number> http_type loglevel quick
|
||||||
%type <v.number> dstmode flag forwardmode retry
|
%type <v.number> dstmode flag forwardmode retry
|
||||||
%type <v.number> opttls opttlsclient
|
%type <v.number> opttls opttlsclient
|
||||||
%type <v.number> redirect_proto relay_proto match
|
%type <v.number> redirect_proto relay_proto match pflog
|
||||||
%type <v.number> action ruleaf key_option
|
%type <v.number> action ruleaf key_option
|
||||||
%type <v.port> port
|
%type <v.port> port
|
||||||
%type <v.host> host
|
%type <v.host> host
|
||||||
@ -605,7 +605,7 @@ rdroptsl : forwardmode TO tablespec interface {
|
|||||||
$3->conf.rdrid = rdr->conf.id;
|
$3->conf.rdrid = rdr->conf.id;
|
||||||
$3->conf.flags |= F_USED;
|
$3->conf.flags |= F_USED;
|
||||||
}
|
}
|
||||||
| LISTEN ON STRING redirect_proto port interface {
|
| LISTEN ON STRING redirect_proto port interface pflog {
|
||||||
if (host($3, &rdr->virts,
|
if (host($3, &rdr->virts,
|
||||||
SRV_MAX_VIRTS, &$5, $6, $4) <= 0) {
|
SRV_MAX_VIRTS, &$5, $6, $4) <= 0) {
|
||||||
yyerror("invalid virtual ip: %s", $3);
|
yyerror("invalid virtual ip: %s", $3);
|
||||||
@ -618,6 +618,8 @@ rdroptsl : forwardmode TO tablespec interface {
|
|||||||
if (rdr->conf.port == 0)
|
if (rdr->conf.port == 0)
|
||||||
rdr->conf.port = $5.val[0];
|
rdr->conf.port = $5.val[0];
|
||||||
tableport = rdr->conf.port;
|
tableport = rdr->conf.port;
|
||||||
|
if ($7)
|
||||||
|
rdr->conf.flags |= F_PFLOG;
|
||||||
}
|
}
|
||||||
| DISABLE { rdr->conf.flags |= F_DISABLE; }
|
| DISABLE { rdr->conf.flags |= F_DISABLE; }
|
||||||
| STICKYADDR { rdr->conf.flags |= F_STICKY; }
|
| STICKYADDR { rdr->conf.flags |= F_STICKY; }
|
||||||
@ -651,6 +653,10 @@ match : /* empty */ { $$ = 0; }
|
|||||||
| MATCH { $$ = 1; }
|
| MATCH { $$ = 1; }
|
||||||
;
|
;
|
||||||
|
|
||||||
|
pflog : /* empty */ { $$ = 0; }
|
||||||
|
| PFLOG { $$ = 1; }
|
||||||
|
;
|
||||||
|
|
||||||
forwardmode : FORWARD { $$ = FWD_NORMAL; }
|
forwardmode : FORWARD { $$ = FWD_NORMAL; }
|
||||||
| ROUTE { $$ = FWD_ROUTE; }
|
| ROUTE { $$ = FWD_ROUTE; }
|
||||||
| TRANSPARENT FORWARD { $$ = FWD_TRANS; }
|
| TRANSPARENT FORWARD { $$ = FWD_TRANS; }
|
||||||
@ -2454,6 +2460,7 @@ lookup(char *s)
|
|||||||
{ "pass", PASS },
|
{ "pass", PASS },
|
||||||
{ "password", PASSWORD },
|
{ "password", PASSWORD },
|
||||||
{ "path", PATH },
|
{ "path", PATH },
|
||||||
|
{ "pflog", PFLOG },
|
||||||
{ "pftag", PFTAG },
|
{ "pftag", PFTAG },
|
||||||
{ "port", PORT },
|
{ "port", PORT },
|
||||||
{ "prefork", PREFORK },
|
{ "prefork", PREFORK },
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
/* $OpenBSD: pfe_filter.c,v 1.65 2023/09/14 09:54:31 yasuoka Exp $ */
|
/* $OpenBSD: pfe_filter.c,v 1.66 2024/06/17 08:02:57 sashan Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 2006 Pierre-Yves Ritschard <pyr@openbsd.org>
|
* Copyright (c) 2006 Pierre-Yves Ritschard <pyr@openbsd.org>
|
||||||
@ -377,6 +377,11 @@ sync_ruleset(struct relayd *env, struct rdr *rdr, int enable)
|
|||||||
rio.rule.direction = PF_IN;
|
rio.rule.direction = PF_IN;
|
||||||
rio.rule.keep_state = PF_STATE_NORMAL;
|
rio.rule.keep_state = PF_STATE_NORMAL;
|
||||||
|
|
||||||
|
if (rdr->conf.flags & F_PFLOG)
|
||||||
|
rio.rule.log = 1;
|
||||||
|
else
|
||||||
|
rio.rule.log = 0; /* allow change via reload */
|
||||||
|
|
||||||
switch (t->conf.fwdmode) {
|
switch (t->conf.fwdmode) {
|
||||||
case FWD_NORMAL:
|
case FWD_NORMAL:
|
||||||
/* traditional redirection */
|
/* traditional redirection */
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
.\" $OpenBSD: relayd.conf.5,v 1.207 2023/10/29 11:27:11 kn Exp $
|
.\" $OpenBSD: relayd.conf.5,v 1.208 2024/06/17 08:02:57 sashan Exp $
|
||||||
.\"
|
.\"
|
||||||
.\" Copyright (c) 2006 - 2016 Reyk Floeter <reyk@openbsd.org>
|
.\" Copyright (c) 2006 - 2016 Reyk Floeter <reyk@openbsd.org>
|
||||||
.\" Copyright (c) 2006, 2007 Pierre-Yves Ritschard <pyr@openbsd.org>
|
.\" Copyright (c) 2006, 2007 Pierre-Yves Ritschard <pyr@openbsd.org>
|
||||||
@ -15,7 +15,7 @@
|
|||||||
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||||
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||||
.\"
|
.\"
|
||||||
.Dd $Mdocdate: October 29 2023 $
|
.Dd $Mdocdate: June 17 2024 $
|
||||||
.Dt RELAYD.CONF 5
|
.Dt RELAYD.CONF 5
|
||||||
.Os
|
.Os
|
||||||
.Sh NAME
|
.Sh NAME
|
||||||
@ -517,6 +517,7 @@ At least one entry for the main table is mandatory.
|
|||||||
.Op ip-proto
|
.Op ip-proto
|
||||||
.Ic port Ar port
|
.Ic port Ar port
|
||||||
.Op Ic interface Ar name
|
.Op Ic interface Ar name
|
||||||
|
.Op Ic pflog
|
||||||
.Xc
|
.Xc
|
||||||
Specify an
|
Specify an
|
||||||
.Ar address
|
.Ar address
|
||||||
@ -540,6 +541,12 @@ or
|
|||||||
it defaults to
|
it defaults to
|
||||||
.Cm tcp .
|
.Cm tcp .
|
||||||
The rule can be optionally restricted to a given interface name.
|
The rule can be optionally restricted to a given interface name.
|
||||||
|
The optional
|
||||||
|
.Ic pflog
|
||||||
|
keyword will add
|
||||||
|
.Cm log
|
||||||
|
to the rule. The logged packets are sent to
|
||||||
|
.Xr pflog 4 .
|
||||||
.It Xo
|
.It Xo
|
||||||
.Op Ic match
|
.Op Ic match
|
||||||
.Ic pftag Ar name
|
.Ic pftag Ar name
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
/* $OpenBSD: relayd.h,v 1.272 2024/05/18 06:34:46 jsg Exp $ */
|
/* $OpenBSD: relayd.h,v 1.273 2024/06/17 08:02:57 sashan Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 2006 - 2016 Reyk Floeter <reyk@openbsd.org>
|
* Copyright (c) 2006 - 2016 Reyk Floeter <reyk@openbsd.org>
|
||||||
@ -402,6 +402,7 @@ union hashkey {
|
|||||||
#define F_TLSINSPECT 0x04000000
|
#define F_TLSINSPECT 0x04000000
|
||||||
#define F_HASHKEY 0x08000000
|
#define F_HASHKEY 0x08000000
|
||||||
#define F_AGENTX_TRAPONLY 0x10000000
|
#define F_AGENTX_TRAPONLY 0x10000000
|
||||||
|
#define F_PFLOG 0x20000000
|
||||||
|
|
||||||
#define F_BITS \
|
#define F_BITS \
|
||||||
"\10\01DISABLE\02BACKUP\03USED\04DOWN\05ADD\06DEL\07CHANGED" \
|
"\10\01DISABLE\02BACKUP\03USED\04DOWN\05ADD\06DEL\07CHANGED" \
|
||||||
|
Loading…
Reference in New Issue
Block a user