git: 0784121c963e - main - pfdenied: support reporting on additional anchors
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 10 Mar 2022 13:03:26 UTC
The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=0784121c963e39aa9e8b33c4e0a0c181daf75277 commit 0784121c963e39aa9e8b33c4e0a0c181daf75277 Author: Matteo Riondato <matteo@FreeBSD.org> AuthorDate: 2022-03-09 14:02:11 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2022-03-10 11:08:59 +0000 pfdenied: support reporting on additional anchors The security/520-pfdenied script only reports blocked packets from the main ruleset or any blocklistd(8) anchor. Add an option to periodic.conf(5) to make it possible to specify additional anchors to report. PR: 262446 Reviewed by: kp --- share/man/man5/periodic.conf.5 | 9 ++++++++- usr.sbin/periodic/etc/security/520.pfdenied | 2 +- usr.sbin/periodic/periodic.conf | 1 + 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/share/man/man5/periodic.conf.5 b/share/man/man5/periodic.conf.5 index 293a6a3e0cc3..119c49502c9d 100644 --- a/share/man/man5/periodic.conf.5 +++ b/share/man/man5/periodic.conf.5 @@ -25,7 +25,7 @@ .\" .\" $FreeBSD$ .\" -.Dd March 7, 2022 +.Dd March 9, 2022 .Dt PERIODIC.CONF 5 .Os .Sh NAME @@ -960,6 +960,13 @@ Set to to show log entries for packets denied by .Xr pf 4 since yesterday's check. +.It Va security_status_pfdenied_additionalanchors +.Pq Vt str +Space-separated list of additional anchors whose denied packets log entries to +show. +The main ruleset (i.e., the empty-string anchor) and any +.Xr blacklistd 8 +anchors, if present, are always shown. .It Va security_status_pfdenied_period .Pq Vt str Set to either diff --git a/usr.sbin/periodic/etc/security/520.pfdenied b/usr.sbin/periodic/etc/security/520.pfdenied index 69d9df78436b..b75f6224c328 100755 --- a/usr.sbin/periodic/etc/security/520.pfdenied +++ b/usr.sbin/periodic/etc/security/520.pfdenied @@ -44,7 +44,7 @@ rc=0 if check_yesno_period security_status_pfdenied_enable then TMP=`mktemp -t security` - for _a in "" $(pfctl -a "blacklistd" -sA 2>/dev/null) + for _a in "" $(pfctl -a "blacklistd" -sA 2>/dev/null) ${security_status_pfdenied_anchors} do pfctl -a "${_a}" -sr -v -z 2>/dev/null | \ nawk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); if ($5 > 0) print buf$0;} }' >> ${TMP} diff --git a/usr.sbin/periodic/periodic.conf b/usr.sbin/periodic/periodic.conf index ade62be10e96..61cebe858372 100644 --- a/usr.sbin/periodic/periodic.conf +++ b/usr.sbin/periodic/periodic.conf @@ -298,6 +298,7 @@ security_status_ipfdenied_period="daily" # 520.pfdenied security_status_pfdenied_enable="YES" security_status_pfdenied_period="daily" +security_status_pfdenied_additionalanchors="" # 550.ipfwlimit security_status_ipfwlimit_enable="YES"