Bug 273924

Summary: pf Logging Issue: Missing NAT and RDR Translation Details in pflog
Product: Base System Reporter: Alfa <burak.sn>
Component: kernAssignee: Kristof Provost <kp>
Status: Open ---    
Severity: Affects Only Me CC: franco, grahamperrin
Priority: --- Keywords: feature
Version: 14.0-STABLEFlags: linimon: mfc-stable13?
Hardware: amd64   
OS: Any   

Description Alfa 2023-09-18 08:26:46 UTC 
Hi,
PF logging as well as the corresponding PFLOG interface does not seem to be provide detailed logs for NAT and RDR translations by default. The level of detail i am looking for in the log entries, such as showing the specific NAT or RDR translation information, seems not be included in the standard logging capabilities of PF. Are you planning to add this feature thanks in advence.

some users experiences this issue:
https://lists.freebsd.org/pipermail/freebsd-pf/2011-January/005944.html

Details are shown below

When my clients try to access my servers over wan on my FreeBSD firewall
pflog0 only shows CLIENTA_PUBLIC_IP -> FW_PUBLIC_IP access. It does not logs actual nat or rdr translations 
I am trying to to keep track of PF NAT records like:

For RDR:
CLIENTA_PUBLIC_IP.55638 > FW_PUBLIC_IP.3306 RDR TO >SERVER_LOCAL_IP:3306

rdr log on { pppoe_igc1 } proto { tcp } from { $CLIENTA_PUBLIC_IP } to any  port { 3306 }  -> $SERVER_LOCAL_IP port 3306  

pass in log quick on { pppoe_igc1 } reply-to ( pppoe_igc1 $igc1_if_gateway ) proto { tcp } from { $CLIENTA_PUBLIC_IP } to $SERVER_LOCAL_IP port 3306 flags S/SA keep state ridentifier 1000117

But pflog0 RDR logs shows only:
root@test:~ # tcpdump -ttt -n -e -i pflog0 host CLIENTA_PUBLIC_IP and action rdr -v
tcpdump: listening on pflog0,...
 00:00:00.000000 rule 47/0(match): rdr in on pppoe_igc1: (tos 0x0, ttl 51, id 63257, offset 0, flags [DF], proto TCP (6), length 60)
    CLIENTA_PUBLIC_IP.55638 > FW_PUBLIC_IP.3306: Flags [S],...
    
For NAT:
  
CLIENTB_LOCAL_IP.55530 > CLIENTA_PUBLIC_IP.3306  NAT TO > USABLE_PUBLIC_IP

But pflog0 NAT logs shows only:
00:00:00.000000 rule 14/0(match): nat out on pppoe_igc1: CLIENTB_LOCALIP.58258 > CLIENTA_PUBLICIP.3306: Flags [S], ...
Comment 1 Graham Perrin 2023-09-19 04:40:39 UTC 
^Triage: severity reduced to the norm for a feature request.
Comment 2 Franco Fichtner 2023-09-19 07:34:46 UTC 
pflog simply logs matching packages causing a rule to trigger and does not emit rule metadata, because the reference to the rule is in the pflog header.

Since https://cgit.freebsd.org/src/commit/sys/netpfil/pf?id=8e496ea1df1f00ea7832eb41754dbbb56dd244c8 the nat rules are logged separately from the filter rule and that's pre-rewrite. The filter rule log will match post-write. It gives you an idea of how the address was rewritten, but only if you compare the two packet headers.


Cheers,
Franco
Comment 3 Mark Linimon freebsd_committer freebsd_triage 2024-01-14 00:01:25 UTC 
^Triage: promote version number to a currently supported value.
Comment 4 Franco Fichtner 2024-01-17 07:11:49 UTC 
Mark,

https://cgit.freebsd.org/src/commit/sys/netpfil/pf?id=8e496ea1df1f00ea7832eb41754dbbb56dd244c8 was never backported to stable/13 but it is available in 14.0-RELEASE so I don't think the issue applies any longer and certainly not to 14.0-STABLE :)


Cheers,
Franco
Comment 5 Mark Linimon freebsd_committer freebsd_triage 2024-01-18 15:39:45 UTC 
^Triage: over to committer of https://cgit.freebsd.org/src/commit/sys/netpfil/pf?id=8e496ea1df1f00ea7832eb41754dbbb56dd244c8 for possible mfc-13 consideration.