From nobody@FreeBSD.org  Mon Apr 14 22:04:10 2008
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 7524C1065673
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 14 Apr 2008 22:04:10 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 656818FC1D
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 14 Apr 2008 22:04:10 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.2/8.14.2) with ESMTP id m3EM43t9029001
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 14 Apr 2008 22:04:03 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.2/8.14.1/Submit) id m3EM43cJ029000;
	Mon, 14 Apr 2008 22:04:03 GMT
	(envelope-from nobody)
Message-Id: <200804142204.m3EM43cJ029000@www.freebsd.org>
Date: Mon, 14 Apr 2008 22:04:03 GMT
From: Josh <josh@endries.org>
To: freebsd-gnats-submit@FreeBSD.org
Subject: pf doesn't log uid or pid when configured to
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         122773
>Category:       kern
>Synopsis:       [pf] pf doesn't log uid or pid when configured to
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-pf
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Apr 14 22:10:02 UTC 2008
>Closed-Date:    
>Last-Modified:  Mon Jul  1 12:50:00 UTC 2013
>Originator:     Josh
>Release:        7.0-RELEASE
>Organization:
>Environment:
FreeBSD www 7.0-RELEASE FreeBSD 7.0-RELEASE #0: Mon Mar 31 15:51:02 EDT 2008     root@:/jails/src/root/usr/obj/jails/src/root/usr/src/sys/ULEMAC  amd64
>Description:
When pf is configured to log the UID and PID of the process sending
traffic, it doesn't.
>How-To-Repeat:
Configure pf with a rule such as:

pass out log (user) quick on $exif inet proto tcp from $exif to any keep state

Start pflog (/etc/rc.d/pflog + rcvar), then run "tcpdump -netttvvvi
pflog0", which is supposed to display the info. You should get something
like (from google):

rule 10/(match) [uid 0, pid 1807] block in on fxp0: 85.100.124.74.14464 \
server1.443: [|tcp] (ttl 249, id 65259, len 40, bad cksum 0! differs by f890)

But I actually get something like:

044014 rule 17/0(match): pass out on bge0: (tos 0x10, ttl 64, id 11138, \
offset 0, flags [DF], proto TCP (6), length 60) 64.132.211.219.57274 > \
66.94.234.13.80: [|tcp]

Other users on #freebsd@freenode reported the same behavior.
>Fix:


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-pf 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Mon Apr 14 23:51:36 UTC 2008 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=122773 

From: Max Laier <max@love2party.net>
To: bug-followup@freebsd.org,
 josh@endries.org
Cc:  
Subject: Re: kern/122773: [pf] pf doesn't log uid or pid when configured to
Date: Tue, 15 Apr 2008 03:01:18 +0200

 --Boundary-00=_e5/AIRcnzajd3D7
 Content-Type: text/plain;
   charset="us-ascii"
 Content-Transfer-Encoding: 7bit
 Content-Disposition: inline
 
 The problem is twofold: 
  1) FreeBSD doesn't store the PID for the opening process in the socket 
     credentials.
  2) tcpdump currently doesn't report uid/pid at all.
 
 The first issue could probably be fixed, but would touch quite a lot of 
 things - it's really an industrious task.  Feel free to submit patches ;)  
 I don't currently have the time to do this.
 
 The second issue can be addressed with the attached patch, which should 
 enable you to display the UID.  It will report NO_PID (100000) for 
 everything as long as 1 isn't fixed, though.
 
 -- 
 Max
 
 --Boundary-00=_e5/AIRcnzajd3D7
 Content-Type: text/x-diff;
   charset="us-ascii";
   name="tcpdump-uid.diff"
 Content-Transfer-Encoding: 7bit
 Content-Disposition: attachment;
 	filename="tcpdump-uid.diff"
 
 Index: print-pflog.c
 ===================================================================
 RCS file: /home/ncvs/src/contrib/tcpdump/print-pflog.c,v
 retrieving revision 1.1.1.4
 diff -u -r1.1.1.4 print-pflog.c
 --- print-pflog.c	16 Oct 2007 02:20:17 -0000	1.1.1.4
 +++ print-pflog.c	15 Apr 2008 00:53:58 -0000
 @@ -106,6 +106,12 @@
  	else
  		printf("rule %u.%s.%u/", rulenr, hdr->ruleset, subrulenr);
  
 +#ifdef PF_LOG_SOCKET_LOOKUP
 +	if (vflag && hdr->uid != UID_MAX)
 +		printf("[uid %u, pid %u] ", (unsigned)hdr->uid,
 +		    (unsigned)hdr->pid);
 +#endif
 +
  	printf("%s: %s %s on %s: ",
  	    tok2str(pf_reasons, "unkn(%u)", hdr->reason),
  	    tok2str(pf_actions, "unkn(%u)", hdr->action),
 
 --Boundary-00=_e5/AIRcnzajd3D7--

From: =?ISO-8859-1?Q?Olivier_Cochard=2DLabb=E9?= <olivier@cochard.me>
To: bug-followup@freebsd.org, josh@endries.org
Cc: Gleb Smirnoff <glebius@freebsd.org>
Subject: Re: kern/122773: [pf] pf doesn&#39;t log uid or pid when configured to
Date: Mon, 1 Jul 2013 14:42:41 +0200

 Hi,
 I've got the same problem on 9-stable too.
 
 pflogd didn't add the good UID value on its pcap.
 
 Here is a pflogd packet displayed on wireshark (my user had UID 1001
 for this test):
 
 No.     Time        Source                Destination
 Protocol Length Info
       1 0.000000    10.2.1.3              10.2.0.67             TCP
   124    [pass em0/0] 32186 > ssh [SYN] Seq=0 Win=65535 Len=0 MSS=1460
 WS=64 SACK_PERM=1 TSval=615127099 TSecr=0
 
 Frame 1: 124 bytes on wire (992 bits), 124 bytes captured (992 bits)
 PF Log IPv4 pass on em0 by rule 0
     Header Length: 61
     Address Family: IPv4 (2)
     Action: pass (0)
     Reason: match (0)
     Interface: em0
     Ruleset:
     Rule Number: 2
     Sub Rule Number: 16777216
     UID: -385679360
     PID: -1601830656
     Rule UID: 0
     Rule PID: -1990852608
     Direction: out (2)
     Padding: 000000
 Internet Protocol Version 4, Src: 10.2.1.3 (10.2.1.3), Dst: 10.2.0.67
 (10.2.0.67)
 Transmission Control Protocol, Src Port: 32186 (32186), Dst Port: ssh
 (22), Seq: 0, Len: 0
     Source port: 32186 (32186)
     Destination port: ssh (22)
     [Stream index: 0]
     Sequence number: 0    (relative sequence number)
     Header length: 40 bytes
     Flags: 0x002 (SYN)
     Window size value: 65535
     [Calculated window size: 65535]
     Checksum: 0xe2c8 [validation disabled]
     Options: (20 bytes), Maximum segment size, No-Operation (NOP),
 Window scale, SACK permitted, Timestamps
 
 Regards,
 
 Olivier
>Unformatted:
