ok mvs@
> On 11 Jan 2021, at 19:49, Alexander Bluhm <alexander.bl...@gmx.net> wrote:
>
> Hi,
>
> Sometimes an uid is logged in pflog(4) although the logopt of the
> rule does not specify it. Check the option again for the log rule
> in case another rule has triggered a socket lookup. Remove logopt
> group, it is not documented and cannot work as struct pfloghdr does
> not contain a gid. Rename PF_LOG_SOCKET_LOOKUP to PF_LOG_USER to
> express what it does. The lookup involved is only an implemntation
> detail.
>
> ok?
>
> bluhm
>
> Index: sys/net/if_pflog.c
> ===================================================================
> RCS file: /data/mirror/openbsd/cvs/src/sys/net/if_pflog.c,v
> retrieving revision 1.91
> diff -u -p -r1.91 if_pflog.c
> --- sys/net/if_pflog.c 28 Aug 2020 12:01:48 -0000 1.91
> +++ sys/net/if_pflog.c 11 Jan 2021 14:44:55 -0000
> @@ -253,9 +253,9 @@ pflog_packet(struct pf_pdesc *pd, u_int8
> strlcpy(hdr.ruleset, ruleset->anchor->name,
> sizeof(hdr.ruleset));
> }
> - if (trigger->log & PF_LOG_SOCKET_LOOKUP && !pd->lookup.done)
> + if (trigger->log & PF_LOG_USER && !pd->lookup.done)
> pd->lookup.done = pf_socket_lookup(pd);
> - if (pd->lookup.done > 0) {
> + if (trigger->log & PF_LOG_USER && pd->lookup.done > 0) {
> hdr.uid = pd->lookup.uid;
> hdr.pid = pd->lookup.pid;
> } else {
> Index: sys/net/pfvar.h
> ===================================================================
> RCS file: /data/mirror/openbsd/cvs/src/sys/net/pfvar.h,v
> retrieving revision 1.497
> diff -u -p -r1.497 pfvar.h
> --- sys/net/pfvar.h 14 Oct 2020 19:22:14 -0000 1.497
> +++ sys/net/pfvar.h 11 Jan 2021 14:46:54 -0000
> @@ -156,7 +156,7 @@ enum { PF_ADDR_ADDRMASK, PF_ADDR_NOROUTE
>
> #define PF_LOG 0x01
> #define PF_LOG_ALL 0x02
> -#define PF_LOG_SOCKET_LOOKUP 0x04
> +#define PF_LOG_USER 0x04
> #define PF_LOG_FORCE 0x08
> #define PF_LOG_MATCHES 0x10
>
> Index: sbin/pfctl/parse.y
> ===================================================================
> RCS file: /data/mirror/openbsd/cvs/src/sbin/pfctl/parse.y,v
> retrieving revision 1.707
> diff -u -p -r1.707 parse.y
> --- sbin/pfctl/parse.y 16 Dec 2020 18:01:16 -0000 1.707
> +++ sbin/pfctl/parse.y 11 Jan 2021 14:44:46 -0000
> @@ -2409,8 +2409,7 @@ logopts : logopt { $$ =
> $1; }
>
> logopt : ALL { $$.log = PF_LOG_ALL; $$.logif = 0; }
> | MATCHES { $$.log = PF_LOG_MATCHES; $$.logif = 0; }
> - | USER { $$.log = PF_LOG_SOCKET_LOOKUP; $$.logif = 0; }
> - | GROUP { $$.log = PF_LOG_SOCKET_LOOKUP; $$.logif = 0; }
> + | USER { $$.log = PF_LOG_USER; $$.logif = 0; }
> | TO string {
> const char *errstr;
> u_int i;
> Index: sbin/pfctl/pfctl_parser.c
> ===================================================================
> RCS file: /data/mirror/openbsd/cvs/src/sbin/pfctl/pfctl_parser.c,v
> retrieving revision 1.344
> diff -u -p -r1.344 pfctl_parser.c
> --- sbin/pfctl/pfctl_parser.c 29 Dec 2020 19:50:28 -0000 1.344
> +++ sbin/pfctl/pfctl_parser.c 11 Jan 2021 14:44:26 -0000
> @@ -795,7 +795,7 @@ print_rule(struct pf_rule *r, const char
> printf("%sall", count++ ? ", " : "");
> if (r->log & PF_LOG_MATCHES)
> printf("%smatches", count++ ? ", " : "");
> - if (r->log & PF_LOG_SOCKET_LOOKUP)
> + if (r->log & PF_LOG_USER)
> printf("%suser", count++ ? ", " : "");
> if (r->logif)
> printf("%sto pflog%u", count++ ? ", " : "",
>
