The branch stable/14 has been updated by markj:
URL:
https://cgit.FreeBSD.org/src/commit/?id=3d30774f0056b4d1d5eaaf4b560b850eddf1b670
commit 3d30774f0056b4d1d5eaaf4b560b850eddf1b670
Author: Mark Johnston <ma...@freebsd.org>
AuthorDate: 2025-01-16 15:44:40 +0000
Commit: Mark Johnston <ma...@freebsd.org>
CommitDate: 2025-01-30 15:28:15 +0000
pf: Force logging if pf_create_state() fails
Currently packets are logged before pf_create_state() is called, so we
might log a packet as passed that is subsequently dropped due to state
creation failure. In particular, the drop is not logged, which is
wrong.
Improve the situation a bit: force logging if state creation fails.
This isn't totally right as we'll end up logging the packet twice in
this case, but it's better than not logging the drop at all.
Add a regression test.
Discussed with: kp, ks
Co-authored-by: Franco Fichtner <fra...@opnsense.org>
MFC after: 2 weeks
Sponsored by: Klara, Inc.
Sponsored by: OPNsense
Differential Revision: https://reviews.freebsd.org/D47953
(cherry picked from commit 886396f1b1a727c642071965612e2c2c9dd11d6c)
---
sys/netpfil/pf/pf.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 81e942085ad2..064277082475 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -5055,6 +5055,7 @@ pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm,
struct pfi_kkif *kif,
sport, dport, &rewrite, kif, sm, tag, bproto_sum, bip_sum,
hdrlen, &match_rules);
if (action != PF_PASS) {
+ pd->act.log |= PF_LOG_FORCE;
if (action == PF_DROP &&
(r->rule_flag & PFRULE_RETURN))
pf_return(r, nr, pd, sk, off, m, th, kif,
