From rionda@utenti.gufi.org  Tue Feb 22 18:19:30 2005
Return-Path: <rionda@utenti.gufi.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id E42DD16A4CE; Tue, 22 Feb 2005 18:19:30 +0000 (GMT)
Received: from relay.gufi.org (civetta.gufi.org [193.27.203.173])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 5DA3843D48; Tue, 22 Feb 2005 18:19:30 +0000 (GMT)
	(envelope-from rionda@utenti.gufi.org)
Received: from utenti.gufi.org (utenti.gufi.org [193.27.203.174])
	by relay.gufi.org (Postfix) with ESMTP
	id 478F4211AA; Tue, 22 Feb 2005 19:19:29 +0100 (CET)
Received: (from rionda@localhost)
	by utenti.gufi.org (8.12.11/8.12.11/Submit) id j1MIJSqN069957;
	Tue, 22 Feb 2005 19:19:28 +0100 (CET)
	(envelope-from rionda)
Message-Id: <200502221819.j1MIJSqN069957@utenti.gufi.org>
Date: Tue, 22 Feb 2005 19:19:28 +0100 (CET)
From: Matteo Riondato <rionda@gufi.org>
Reply-To: Matteo Riondato <rionda@gufi.org>
To: FreeBSD-gnats-submit@freebsd.org
Cc: mlaier@freebsd.org, keramida@freebsd.org
Subject: pf and ipfw periodic scripts not working 
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         77932
>Category:       conf
>Synopsis:       [patch] security.functions: pf and ipfw periodic scripts not working with 'new_only' argument
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    matteo
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Feb 22 18:20:18 GMT 2005
>Closed-Date:    Wed Mar 08 16:44:07 GMT 2006
>Last-Modified:  Wed Mar 08 16:44:07 GMT 2006
>Originator:     Matteo Riondato
>Release:        FreeBSD 6-CURRENT i386
>Organization:
>Environment:
System: FreeBSD kaiser.sig11.org 6.0-CURRENT FreeBSD 6.0-CURRENT #2: Sun Feb 20 21:19:06 CET 2005     rionda@kaiser.sig11.org:/usr/obj/usr/src/sys/KAISER  i386

>Description:
I think there's a little mistake
in /etc/periodic/security/security.functions:

if check_diff() is called whith "new_only" as its first argument, as it
is in /etc/periodic/security/520.pfdenied (and 500.ipfwdenied), it will
use "grep '^>'" as a filter to grep only the different lines between the
ouput of "pfctl -sr -v 2>/dev/null | nawk '{if (/^block/) {buf=$0;
getline; gsub(" +"," ",$0); print buf$0;} }'" and /var/log/pf.today .

The diff between the output and the file is done with 
diff {daily_status_security_diff_flags} /var/log/pf.today $OUTPUT
and the filter is "piped" after this command, so we have:

diff {daily_status_security_diff_flags} /var/log/pf.today $OUTPUT | grep
'^>' 

but daily_status_security_diff_flags is set to "-b -u"
in /etc/defaults/periodic.conf so there aren't lines beginning with ">",
because we are doing an unified diff. The filter then gives no output
and the only output of /etc/periodic/security/520.pfdenied is 

$HOSTNAME pf denied packets:

This can be solved changing $filter from "grep '^>'" to "grep '^+'"
in /etc/periodic/security/security.functions, line 46. 	
I would not change daily_status_security_diff_flags as I remember that 
having unified diff in periodic mails was disscussed and approved in the MLs

>How-To-Repeat:
	
>Fix:


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->matteo 
Responsible-Changed-By: matteo 
Responsible-Changed-When: Mon Mar 6 21:04:08 UTC 2006 
Responsible-Changed-Why:  
I submitted this PR.. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=77932 
State-Changed-From-To: open->closed 
State-Changed-By: matteo 
State-Changed-When: Wed Mar 8 16:43:29 UTC 2006 
State-Changed-Why:  
This was fixed long ago by cperciva@ 

http://www.freebsd.org/cgi/query-pr.cgi?pr=77932 
>Unformatted:
