Bug 262446 - [pf][periodic][feature][patch] Additional option to configure additional anchors to report in pfdenied periodic script
Summary: [pf][periodic][feature][patch] Additional option to configure additional anch...
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: Unspecified
Hardware: Any Any
: --- Affects Some People
Assignee: freebsd-bugs (Nobody)
URL:
Keywords: patch
Depends on:
Blocks:
 
Reported: 2022-03-09 14:20 UTC by Matteo Riondato
Modified: 2022-03-13 00:01 UTC (History)
2 users (show)

See Also:

Attachments
Patch against main as of 20220309 (1.79 KB, patch)
2022-03-09 14:20 UTC, Matteo Riondato 		no flags Details | Diff
Patch against main as of 20220309 (1.80 KB, patch)
2022-03-09 14:33 UTC, Matteo Riondato 		no flags Details | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Matteo Riondato freebsd_committer freebsd_triage 2022-03-09 14:20:21 UTC 
Created attachment 232344 [details]
Patch against main as of 20220309

The security/520-pfdenied script only reports blocked packets from the main ruleset or any blocklistd(8) anchor. 

The attached patch adds an option to periodic.conf(5) to make it possible to specify additional anchors to report.
Comment 1 Kristof Provost freebsd_committer freebsd_triage 2022-03-09 14:28:49 UTC 
Am I misreading things, or did we lose ' "" ' in the for loop in 520.pfdenied? That'd mean we no longer list the main ruleset, right?
Comment 2 Matteo Riondato freebsd_committer freebsd_triage 2022-03-09 14:30:40 UTC 
Sorry, my bad. I changed something at the last minute and forgot to go back. Please give me a few minutes to check that everything actually works when I put ' "" ' back.
Comment 3 Matteo Riondato freebsd_committer freebsd_triage 2022-03-09 14:33:46 UTC 
Created attachment 232345 [details]
Patch against main as of 20220309

Updated patch to restore inclusion of default ruleset.
Comment 4 commit-hook freebsd_committer freebsd_triage 2022-03-10 13:03:33 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=0784121c963e39aa9e8b33c4e0a0c181daf75277

commit 0784121c963e39aa9e8b33c4e0a0c181daf75277
Author:     Matteo Riondato <matteo@FreeBSD.org>
AuthorDate: 2022-03-09 14:02:11 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2022-03-10 11:08:59 +0000

    pfdenied: support reporting on additional anchors

    The security/520-pfdenied script only reports blocked packets from the
    main ruleset or any blocklistd(8) anchor.

    Add an option to periodic.conf(5) to make it possible to specify
    additional anchors to report.

    PR:             262446
    Reviewed by:    kp

 share/man/man5/periodic.conf.5              | 9 ++++++++-
 usr.sbin/periodic/etc/security/520.pfdenied | 2 +-
 usr.sbin/periodic/periodic.conf             | 1 +
 3 files changed, 10 insertions(+), 2 deletions(-)
Comment 5 Matteo Riondato freebsd_committer freebsd_triage 2022-03-10 15:06:06 UTC 
Thank you, Kristof.

Are you planning to MFC or shall I just close the PR?
Comment 6 Kristof Provost freebsd_committer freebsd_triage 2022-03-10 15:35:33 UTC 
(In reply to Matteo Riondato from comment #5)
I have no specific plans to, no. It's probably too late for 13.1 at this point anyway.
Comment 7 commit-hook freebsd_committer freebsd_triage 2022-03-13 00:01:11 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=a33ead9c9cf3f92a3b11b76b4717d8eb4f3a0403

commit a33ead9c9cf3f92a3b11b76b4717d8eb4f3a0403
Author:     Matteo Riondato <matteo@FreeBSD.org>
AuthorDate: 2022-03-12 22:59:25 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2022-03-12 22:59:25 +0000

    pfdenied: match actual variable name to the documented one

    PR:             262446
    Reviewed by:    kp

 usr.sbin/periodic/etc/security/520.pfdenied | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)