[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

pf.conf(5) buglet wrt logging

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: pf.conf(5) buglet wrt logging
From: Tamas TEVESZ <ice_(_at_)_extreme_(_dot_)_hu>
Date: Sat, 10 Dec 2005 04:02:35 +0100 (CET)

hi,

diff below removes the `log' keyword from the nat, binat and rdr bnf
descriptions. ok, i can't quite read code as much to actually verify
the validity of this, but i simply couldn't get it to work (it doesn't
seem so hard to insert a `log' between a `nat' and a `pass' in an
otherwise working setup now does it?), didn't find any references
doing so anyplace, and seem to remember something about it being
removed (but it may have well been log-all...).

questions: if the diff below is not correct, what's the correct syntax
for logging in a nat(/binat/rdr) rule? "nat on pcn0 from
192.168.1.0/24 to any -> (pcn0)" works fine, "nat log on pcn..." gives
a syntax error).

if the diff below is correct, how can one log nats/rdrs/binats as they
happen?


thanks,


Index: pf.conf.5
===================================================================
RCS file: /cvs/src/share/man/man5/pf.conf.5,v
retrieving revision 1.339
diff -u -r1.339 pf.conf.5
--- pf.conf.5	17 Nov 2005 22:18:20 -0000	1.339
+++ pf.conf.5	10 Dec 2005 01:45:27 -0000
@@ -2639,21 +2639,18 @@
                  "queue" ( string | "(" string [ [ "," ] string ] ")" ) |
                  "probability" number"%"

-nat-rule       = [ "no" ] "nat" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
-                 [ "on" ifspec ] [ af ]
+nat-rule       = [ "no" ] "nat" [ "pass" ] [ "on" ifspec ] [ af ]
                  [ protospec ] hosts [ "tag" string ] [ "tagged" string ]
                  [ "->" ( redirhost | "{" redirhost-list "}" )
                  [ portspec ] [ pooltype ] [ "static-port" ] ]

-binat-rule     = [ "no" ] "binat" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
-                 [ "on" interface-name ] [ af ]
-                 [ "proto" ( proto-name | proto-number ) ]
+binat-rule     = [ "no" ] "binat" [ "pass" ] [ "on" interface-name ]
+                 [ af ] [ "proto" ( proto-name | proto-number ) ]
                  "from" address [ "/" mask-bits ] "to" ipspec
                  [ "tag" string ] [ "tagged" string ]
                  [ "->" address [ "/" mask-bits ] ]

-rdr-rule       = [ "no" ] "rdr" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
-                 [ "on" ifspec ] [ af ]
+rdr-rule       = [ "no" ] "rdr" [ "pass" ] [ "on" ifspec ] [ af ]
                  [ protospec ] hosts [ "tag" string ] [ "tagged" string ]
                  [ "->" ( redirhost | "{" redirhost-list "}" )
                  [ portspec ] [ pooltype ] ]


-- 
[-]

mkdir /nonexistent

Prev by Date: Re: Would it be helpful if ...
Next by Date: road warrior nat'ing on an ipsec tunnel
Previous by thread: Re: Would it be helpful if ...
Next by thread: road warrior nat'ing on an ipsec tunnel
Index(es):
- Date
- Thread

Visit your host, monkey.org