git: 0784121c963e - main - pfdenied: support reporting on additional anchors

From: Kristof Provost <kp_at_FreeBSD.org>
Date: Thu, 10 Mar 2022 13:03:26 UTC
The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=0784121c963e39aa9e8b33c4e0a0c181daf75277

commit 0784121c963e39aa9e8b33c4e0a0c181daf75277
Author:     Matteo Riondato <matteo@FreeBSD.org>
AuthorDate: 2022-03-09 14:02:11 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2022-03-10 11:08:59 +0000

    pfdenied: support reporting on additional anchors
    
    The security/520-pfdenied script only reports blocked packets from the
    main ruleset or any blocklistd(8) anchor.
    
    Add an option to periodic.conf(5) to make it possible to specify
    additional anchors to report.
    
    PR:             262446
    Reviewed by:    kp
---
 share/man/man5/periodic.conf.5              | 9 ++++++++-
 usr.sbin/periodic/etc/security/520.pfdenied | 2 +-
 usr.sbin/periodic/periodic.conf             | 1 +
 3 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/share/man/man5/periodic.conf.5 b/share/man/man5/periodic.conf.5
index 293a6a3e0cc3..119c49502c9d 100644
--- a/share/man/man5/periodic.conf.5
+++ b/share/man/man5/periodic.conf.5
@@ -25,7 +25,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd March 7, 2022
+.Dd March 9, 2022
 .Dt PERIODIC.CONF 5
 .Os
 .Sh NAME
@@ -960,6 +960,13 @@ Set to
 to show log entries for packets denied by
 .Xr pf 4
 since yesterday's check.
+.It Va security_status_pfdenied_additionalanchors
+.Pq Vt str
+Space-separated list of additional anchors whose denied packets log entries to
+show.
+The main ruleset (i.e., the empty-string anchor) and any
+.Xr blacklistd 8
+anchors, if present, are always shown.
 .It Va security_status_pfdenied_period
 .Pq Vt str
 Set to either
diff --git a/usr.sbin/periodic/etc/security/520.pfdenied b/usr.sbin/periodic/etc/security/520.pfdenied
index 69d9df78436b..b75f6224c328 100755
--- a/usr.sbin/periodic/etc/security/520.pfdenied
+++ b/usr.sbin/periodic/etc/security/520.pfdenied
@@ -44,7 +44,7 @@ rc=0
 if check_yesno_period security_status_pfdenied_enable
 then
 	TMP=`mktemp -t security`
-	for _a in "" $(pfctl -a "blacklistd" -sA 2>/dev/null)
+	for _a in "" $(pfctl -a "blacklistd" -sA 2>/dev/null) ${security_status_pfdenied_anchors}
 	do
 		pfctl -a "${_a}" -sr -v -z 2>/dev/null | \
 		nawk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); if ($5 > 0) print buf$0;} }' >> ${TMP}
diff --git a/usr.sbin/periodic/periodic.conf b/usr.sbin/periodic/periodic.conf
index ade62be10e96..61cebe858372 100644
--- a/usr.sbin/periodic/periodic.conf
+++ b/usr.sbin/periodic/periodic.conf
@@ -298,6 +298,7 @@ security_status_ipfdenied_period="daily"
 # 520.pfdenied
 security_status_pfdenied_enable="YES"
 security_status_pfdenied_period="daily"
+security_status_pfdenied_additionalanchors=""
 
 # 550.ipfwlimit
 security_status_ipfwlimit_enable="YES"