From nobody Tue Dec 28 04:50:41 2021
X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 59F41191E17F
	for <freebsd-pf@mlmmj.nyi.freebsd.org>; Tue, 28 Dec 2021 04:50:59 +0000 (UTC)
	(envelope-from ozkan.kirik@gmail.com)
Received: from mail-ua1-x930.google.com (mail-ua1-x930.google.com [IPv6:2607:f8b0:4864:20::930])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4JNMYZ2zQ2z4cvW
	for <freebsd-pf@freebsd.org>; Tue, 28 Dec 2021 04:50:58 +0000 (UTC)
	(envelope-from ozkan.kirik@gmail.com)
Received: by mail-ua1-x930.google.com with SMTP id az37so9224204uab.12
        for <freebsd-pf@freebsd.org>; Mon, 27 Dec 2021 20:50:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc:content-transfer-encoding;
        bh=RIuxlYQqdbKy6yu5+F0PW2UcXwjxcrqP4lc5NHPTfNQ=;
        b=hJQshy0a31qVPetImriDaG1SXC/XC1wtly8izuKL23iaJbEJcqRO8pRG5p8/9zYBZT
         DpIL9zjsygCkm0fYdm8E6D7DIjQMFB4mi26HZiAHhuFHJND9fLlwWVwxgqiDa3lqWUE3
         ixjAz1jXFxtAvxCsznlnNkAQNnZa0RJUhpEE6aKaOfkXLf9fv6aOUIU/Uc5FhvHU2nId
         H6VQNRBqcqM0dzzklDyFKZ4wdtphKsknAAIN0cPIoVLDv53nCaDMUaQ9cC4FONVnKygD
         PTejUfH38Siw0QlUdmodiHpezpIsSfiugB8H3ToFdtnQifGTlW/w+1ifZ3UXtnQlgNNV
         np0g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc:content-transfer-encoding;
        bh=RIuxlYQqdbKy6yu5+F0PW2UcXwjxcrqP4lc5NHPTfNQ=;
        b=FAJ8OAWW68AqmBTv4zcU/RWm9uTf9Q51bOGLI8RaxFvKfAp5hnRuBeYOiJitH85Sr5
         i/279m+WEYme/nCO5R/gLYe3rKHH0WF3ZPPOKPdu8Oo0NDpw0I7CsNAVECc8KlNoFmye
         eCXSQ3ywLBNNuSsRDoo4ISeznoggq2s2tY/0vZQPpHSweUPPqrmotgWHJ58D+LWoSdxg
         J4kvManrohib6Kz+WLNOYJxvYn8ssrT1Vjs7TZx3cEhpvLm58UHN4COoEGBF6C7HS+nw
         7u+9z9u7YkICwz0Lh7IB6jDntDlrxz0qpkdrpxbXDcfIXKqvbbOi0rmBVK9nbznvH9J9
         s8ww==
X-Gm-Message-State: AOAM533w8dqeQkn/VdbUuBdHFfPXRl871U5LLuyhRaNGkbgbhg9Hcvd5
	hsjR7byHcP1EtXyWeOJzPU0m6qebZwCEDwTv8UsHKpJrj+k=
X-Google-Smtp-Source: ABdhPJzWYkmYIDcVA3LouG8hAcMx+mYN/oLyE/xw9qNeOnYe/bSDMeaHeUCPC7j31/LECHiT/c7xp/VCPvKSJSqkBEM=
X-Received: by 2002:a05:6102:3e8d:: with SMTP id m13mr5065525vsv.6.1640667051786;
 Mon, 27 Dec 2021 20:50:51 -0800 (PST)
List-Id: Technical discussion and general questions about packet filter (pf) <freebsd-pf.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-pf
List-Help: <mailto:pf+help@freebsd.org>
List-Post: <mailto:pf@freebsd.org>
List-Subscribe: <mailto:pf+subscribe@freebsd.org>
List-Unsubscribe: <mailto:pf+unsubscribe@freebsd.org>
Sender: owner-freebsd-pf@freebsd.org
X-BeenThere: freebsd-pf@freebsd.org
MIME-Version: 1.0
References: <CAAcX-AEJ-gc-FWdx_zKS7n8_=n7V98w2Sahvsvu9XLozZP949g@mail.gmail.com>
 <C3DF6003-A39A-4C23-9AC5-076D44FC2404@lastsummer.de> <CAAcX-AHdUU47s3E4fitCxCWZ+hfDfi3fPjGq+5sQ7Ff859dKCA@mail.gmail.com>
In-Reply-To: <CAAcX-AHdUU47s3E4fitCxCWZ+hfDfi3fPjGq+5sQ7Ff859dKCA@mail.gmail.com>
From: =?UTF-8?B?w5Z6a2FuIEtJUklL?= <ozkan.kirik@gmail.com>
Date: Tue, 28 Dec 2021 07:50:41 +0300
Message-ID: <CAAcX-AEnDwo7ZMfKoEm1BG6OM-7_uNDyJWSmOqeKMa=WwMx9=A@mail.gmail.com>
Subject: Re: Logging NAT translations and correlating nat & rule logs
To: Franco Fichtner <franco@lastsummer.de>
Cc: freebsd-pf@freebsd.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Rspamd-Queue-Id: 4JNMYZ2zQ2z4cvW
X-Spamd-Bar: --
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=gmail.com header.s=20210112 header.b=hJQshy0a;
	dmarc=pass (policy=none) header.from=gmail.com;
	spf=pass (mx1.freebsd.org: domain of ozkankirik@gmail.com designates 2607:f8b0:4864:20::930 as permitted sender) smtp.mailfrom=ozkankirik@gmail.com
X-Spamd-Result: default: False [-2.73 / 15.00];
	 RCVD_TLS_ALL(0.00)[];
	 ARC_NA(0.00)[];
	 R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112];
	 FROM_HAS_DN(0.00)[];
	 TO_DN_SOME(0.00)[];
	 FREEMAIL_FROM(0.00)[gmail.com];
	 R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36];
	 MIME_GOOD(-0.10)[text/plain];
	 PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org];
	 NEURAL_HAM_LONG(-1.00)[-0.997];
	 NEURAL_SPAM_MEDIUM(0.27)[0.269];
	 TO_MATCH_ENVRCPT_SOME(0.00)[];
	 MID_RHS_MATCH_FROMTLD(0.00)[];
	 DKIM_TRACE(0.00)[gmail.com:+];
	 RCPT_COUNT_TWO(0.00)[2];
	 DMARC_POLICY_ALLOW(-0.50)[gmail.com,none];
	 RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::930:from];
	 NEURAL_HAM_SHORT(-1.00)[-1.000];
	 FROM_EQ_ENVFROM(0.00)[];
	 MIME_TRACE(0.00)[0:+];
	 FREEMAIL_ENVFROM(0.00)[gmail.com];
	 RCVD_COUNT_TWO(0.00)[2];
	 ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US];
	 TAGGED_FROM(0.00)[];
	 DWL_DNSWL_NONE(0.00)[gmail.com:dkim]
X-ThisMailContainsUnwantedMimeParts: N

Hi,

I've cherry picked 8e496ea1df1 commit to stable/12 on my local branch.
Patch works properly.
But the ruleset section in the pflog header is empty. The anchor name
of rdr rule was not filled into the pflog header.

I'm also looking for a packet identifier for aggregating the nat and
rule logs of the same traversing packet.
Does it make sense to use ip.id field of ip header within 1 second
time window for aggregating logs ?

Thanks and regards

On Wed, Dec 1, 2021 at 4:23 PM =C3=96zkan KIRIK <ozkan.kirik@gmail.com> wro=
te:
>
> Thank you Franco, I'll test it
>
> On Wed, Dec 1, 2021 at 4:10 PM Franco Fichtner <franco@lastsummer.de> wro=
te:
> >
> > Hi =C3=96zkan,
> >
> > > On 28. Nov 2021, at 8:06 PM, =C3=96zkan KIRIK <ozkan.kirik@gmail.com>=
 wrote:
> > >
> > > I'm trying to log NAT, BINAT, RDR translations. But the "nat log on
> > > ...." statement only logs the packets after translation is done. So
> > > the information before translation is lost.
> > > Is there a way to log the translation details ?
> >
> > https://github.com/freebsd/freebsd-src/commit/8e496ea1df1 was introduce=
d
> > to address this but has not been moved to stable/12 or stable/13.
> >
> > I see there is some controversy around patches that made it to stable
> > for less so I'd probably advocate to add this patch as well since it
> > solves a longterm issue with NAT logging visibility.
> >
> >
> > Cheers,
> > Franco