From nobody Thu Jan 30 16:08:50 2025 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YkP8h4Bgzz5ldCc; Thu, 30 Jan 2025 16:08:52 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4YkP8f6mb4z3c2n; Thu, 30 Jan 2025 16:08:50 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1738253330; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=V9oiqTWDHSNEwNHYgy6T87NeqrsxHqp0CW/Ibdu9J9s=; b=ernViyZTqGqHKV0pNhq7ZjQCOyzBNJafoHJAdsm2JKyKLcxMdtIOCAAa3c/74Q8IAlIHg7 17WST/HBBEk651SLKiNzkh/aP3l6iGgsSoXv6d7QsKXu10AWS2vN25tb/baLVlOu6D1uHY VR5h5syhPjOBM3iXptsfSoR5Ar3xQ+eCzD5iclfU90ISa0GJnKEva2PD/Mu4iWdeC9aLOQ n9ThZDCCwjQ1hiPfctco1UW8rLTVOKRmo++MXp/bqDXW36UYP4ixd4DypH5bhD2TfeDn2B 0pVRCvbaO8siZb1h+6j12gIZIAnoRJxD3QLE1RruH6TekGVWL2wiM7z0Xbn8zA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1738253330; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=V9oiqTWDHSNEwNHYgy6T87NeqrsxHqp0CW/Ibdu9J9s=; b=QXJf9zQMkgCXt9FLWu+cJamJjso5UMjQD/dIurl8mFRO+rj/QhDIr2afwjJR2sjNJa8lLJ XlaOkse1na6tLOXD+COslTdAPceEoxpbj/srcTyvhjRg15kpustovsoIF+BeiEaGfOyQ8a pM7WdPRd0qjT8eliDu53oDu6aOThw6xqy+0+bM85Tf6eVDO51BimlljkrmZKY4Zbee45AO sO9GiUvHQNuUkK3jDB7PHAEYQ83BpVJZUKZ1/d8ysbksa7tHK6KXYvmDQhbmPgYeUbAiA6 HvpD3+dw6ZJnC5jgfAjXCpzwAkqP6Gxtfbfypoc2HNpIUSt9U+eWCrEM0OmW2Q== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1738253331; a=rsa-sha256; cv=none; b=mXkXD8IofJCinfO8yU54/S36EbQSstH4UEdJefrcWdd8KoMMLemfCeGxeOIO5Bp/zKSEIt wQzobyA8hjnaWEAbteJs82AeuGsLUc5IRrQD6eG4eKahsFaCaULG/gX+6xe+YXiTOeMNFX okeh8JflGx+TJAkXS0wSkXnlCtRFb6uAwBhG/n5CSLBIq0hrLSOF9VGps0fI0UdLEmdjc7 IicfXKH/utv51a2cZMx8qwuiigrHPxWl+qxi3u3p+SYPF/7r7hL7mwGoxL8IKrjwPNJZpy WmbjQJWIYn1FgnYgfkjFxT81OXCoxR+DTjMI7JU/EH5vBelghmnHSaxoKNZK3A== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4YkP8f69l3zvL3; Thu, 30 Jan 2025 16:08:50 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 50UG8oj2044795; Thu, 30 Jan 2025 16:08:50 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 50UG8oIg044792; Thu, 30 Jan 2025 16:08:50 GMT (envelope-from git) Date: Thu, 30 Jan 2025 16:08:50 GMT Message-Id: <202501301608.50UG8oIg044792@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: 3d30774f0056 - stable/14 - pf: Force logging if pf_create_state() fails List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: 3d30774f0056b4d1d5eaaf4b560b850eddf1b670 Auto-Submitted: auto-generated The branch stable/14 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=3d30774f0056b4d1d5eaaf4b560b850eddf1b670 commit 3d30774f0056b4d1d5eaaf4b560b850eddf1b670 Author: Mark Johnston AuthorDate: 2025-01-16 15:44:40 +0000 Commit: Mark Johnston CommitDate: 2025-01-30 15:28:15 +0000 pf: Force logging if pf_create_state() fails Currently packets are logged before pf_create_state() is called, so we might log a packet as passed that is subsequently dropped due to state creation failure. In particular, the drop is not logged, which is wrong. Improve the situation a bit: force logging if state creation fails. This isn't totally right as we'll end up logging the packet twice in this case, but it's better than not logging the drop at all. Add a regression test. Discussed with: kp, ks Co-authored-by: Franco Fichtner MFC after: 2 weeks Sponsored by: Klara, Inc. Sponsored by: OPNsense Differential Revision: https://reviews.freebsd.org/D47953 (cherry picked from commit 886396f1b1a727c642071965612e2c2c9dd11d6c) --- sys/netpfil/pf/pf.c | 1 + 1 file changed, 1 insertion(+) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 81e942085ad2..064277082475 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -5055,6 +5055,7 @@ pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, struct pfi_kkif *kif, sport, dport, &rewrite, kif, sm, tag, bproto_sum, bip_sum, hdrlen, &match_rules); if (action != PF_PASS) { + pd->act.log |= PF_LOG_FORCE; if (action == PF_DROP && (r->rule_flag & PFRULE_RETURN)) pf_return(r, nr, pd, sk, off, m, th, kif,