Date: Fri, 21 Feb 2025 08:11:52 GMT From: Kristof Provost <kp@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: 3c0a0de20ffe - main - pf.conf.5: rephrase log() documentation Message-ID: <202502210811.51L8BqSu077014@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=3c0a0de20ffe9d35a0347ce2d19460e84aac808e commit 3c0a0de20ffe9d35a0347ce2d19460e84aac808e Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2025-02-14 15:11:04 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2025-02-21 08:11:03 +0000 pf.conf.5: rephrase log() documentation after some discussion with henning, document the various log options as one section; some text was altered to make it read better; ok henning Obtained from: OpenBSD, jmc <jmc@openbsd.org>, cea6f9db1f Sponsored by: Rubicon Communications, LLC ("Netgate") --- share/man/man5/pf.conf.5 | 56 ++++++++++++++++++++++++++++-------------------- 1 file changed, 33 insertions(+), 23 deletions(-) diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5 index 478ce7b956f9..704f43a30f83 100644 --- a/share/man/man5/pf.conf.5 +++ b/share/man/man5/pf.conf.5 @@ -1711,38 +1711,49 @@ If neither nor .Ar out are specified, the rule will match packets in both directions. -.It Ar log -In addition to the action specified, a log message is generated. +.It Ar log Pq Cm all | matches | to Ao Ar interface Ac | Cm user +In addition to any action specified, +log the packet. Only the packet that establishes the state is logged, unless the .Ar no state option is specified. The logged packets are sent to a .Xr pflog 4 -interface, by default -.Ar pflog0 . -This interface is monitored by the +interface, by default pflog0; +pflog0 is monitored by the .Xr pflogd 8 -logging daemon, which dumps the logged packets to the file +logging daemon which logs to the file .Pa /var/log/pflog in .Xr pcap 3 binary format. -.It Ar log (all) -Used to force logging of all packets for a connection. +.Pp +The keywords +.Cm all , matches , to , +and +.Cm user +are all optional, +and can be combined using commas. +.Pp +Use +.Cm all +to force logging of all packets for a connection. This is not necessary when .Ar no state is explicitly specified. -As with -.Ar log , -packets are logged to -.Xr pflog 4 . -.It Ar log (matches) -Log this packet on all subsequent matching rules, using the log settings -given here, in particular to the pflog interface specified here so that -regular pflogs are not clobbered. -.It Ar log (user) -Logs the +.Pp +If +.Cm matches +is specified, +it logs the packet on all subsequent matching rules. +It is often combined with +.Cm to Aq Ar interface +to avoid adding noise to the default log file. +.Pp +The keyword +.Cm user +logs the .Ux user ID of the user that owns the socket and the PID of the process that has the socket open where the packet is sourced from or destined to @@ -1753,11 +1764,10 @@ Only the first packet logged via .Ar log (all, user) will have the user credentials logged when using stateful matching. -.It Ar log (to Aq Ar interface ) -Send logs to the specified -.Xr pflog 4 -interface instead of -.Ar pflog0 . +.Pp +To specify a logging interface other than pflog0, +use the syntax +.Cm to Aq Ar interface . .It Ar quick If a packet matches a rule which has the .Ar quick
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202502210811.51L8BqSu077014>