kern/122773: [pf] pf doesn't log uid or pid when configured to
Max Laier
max at love2party.net
Tue Apr 15 01:10:08 UTC 2008
The following reply was made to PR kern/122773; it has been noted by GNATS.
From: Max Laier <max at love2party.net>
To: bug-followup at freebsd.org,
josh at endries.org
Cc:
Subject: Re: kern/122773: [pf] pf doesn't log uid or pid when configured to
Date: Tue, 15 Apr 2008 03:01:18 +0200
--Boundary-00=_e5/AIRcnzajd3D7
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
The problem is twofold:
1) FreeBSD doesn't store the PID for the opening process in the socket
credentials.
2) tcpdump currently doesn't report uid/pid at all.
The first issue could probably be fixed, but would touch quite a lot of
things - it's really an industrious task. Feel free to submit patches ;)
I don't currently have the time to do this.
The second issue can be addressed with the attached patch, which should
enable you to display the UID. It will report NO_PID (100000) for
everything as long as 1 isn't fixed, though.
--
Max
--Boundary-00=_e5/AIRcnzajd3D7
Content-Type: text/x-diff;
charset="us-ascii";
name="tcpdump-uid.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename="tcpdump-uid.diff"
Index: print-pflog.c
===================================================================
RCS file: /home/ncvs/src/contrib/tcpdump/print-pflog.c,v
retrieving revision 1.1.1.4
diff -u -r1.1.1.4 print-pflog.c
--- print-pflog.c 16 Oct 2007 02:20:17 -0000 1.1.1.4
+++ print-pflog.c 15 Apr 2008 00:53:58 -0000
@@ -106,6 +106,12 @@
else
printf("rule %u.%s.%u/", rulenr, hdr->ruleset, subrulenr);
+#ifdef PF_LOG_SOCKET_LOOKUP
+ if (vflag && hdr->uid != UID_MAX)
+ printf("[uid %u, pid %u] ", (unsigned)hdr->uid,
+ (unsigned)hdr->pid);
+#endif
+
printf("%s: %s %s on %s: ",
tok2str(pf_reasons, "unkn(%u)", hdr->reason),
tok2str(pf_actions, "unkn(%u)", hdr->action),
--Boundary-00=_e5/AIRcnzajd3D7--
More information about the freebsd-pf
mailing list