Merge branch 'logging'

mullvad · Aug 15, 2017 · 2a51ecd · 2a51ecd
2 parents 05e3bd3 + f44c956
commit 2a51ecd
Show file tree

Hide file tree

Showing 2 changed files with 68 additions and 0 deletions.
diff --git a/src/rule.rs b/src/rule.rs
@@ -16,6 +16,7 @@ use libc;
 use std::fmt;
 use std::mem;
 use std::net::{IpAddr, Ipv4Addr, Ipv6Addr};
+use std::vec::Vec;
 
 #[derive(Debug, Clone, PartialEq, Eq, Hash)]
 #[derive(Builder)]
@@ -27,6 +28,8 @@ pub struct FilterRule {
     #[builder(default)]
     quick: bool,
     #[builder(default)]
+    log: RuleLogSet,
+    #[builder(default)]
     keep_state: StatePolicy,
     #[builder(default)]
     interface: Interface,
@@ -84,6 +87,7 @@ impl TryCopyTo<ffi::pfvar::pf_rule> for FilterRule {
         pf_rule.action = self.action.into();
         pf_rule.direction = self.direction.into();
         pf_rule.quick = self.quick as u8;
+        pf_rule.log = (&self.log).into();
         pf_rule.keep_state = self.validate_state_policy()?.into();
         self.interface
             .copy_to(&mut pf_rule.ifname)
@@ -678,6 +682,52 @@ impl From<StatePolicy> for u8 {
 }
 
 
+/// Enum describing logging options
+#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]
+pub enum RuleLog {
+    /// Log all packets, but only initial packet for connections with state
+    /// Can be omitted if IncludeMatchingState set
+    ExcludeMatchingState,
+    /// Log all packets including ones matching state
+    IncludeMatchingState,
+    /// Log user id and group id that owns the local socket
+    SocketOwner,
+}
+
+impl From<RuleLog> for u8 {
+    fn from(rule_log: RuleLog) -> Self {
+        match rule_log {
+            RuleLog::ExcludeMatchingState => ffi::pfvar::PF_LOG as u8,
+            RuleLog::IncludeMatchingState => ffi::pfvar::PF_LOG_ALL as u8,
+            RuleLog::SocketOwner => ffi::pfvar::PF_LOG_SOCKET_LOOKUP as u8,
+        }
+    }
+}
+
+#[derive(Debug, Clone, PartialEq, Eq, Hash, Default)]
+pub struct RuleLogSet(Vec<RuleLog>);
+
+impl RuleLogSet {
+    pub fn new(set: &[RuleLog]) -> Self {
+        RuleLogSet(set.to_vec())
+    }
+}
+
+impl From<RuleLog> for RuleLogSet {
+    fn from(rule_log: RuleLog) -> Self {
+        RuleLogSet(vec![rule_log])
+    }
+}
+
+impl<'a> From<&'a RuleLogSet> for u8 {
+    fn from(set: &RuleLogSet) -> Self {
+        set.0
+            .iter()
+            .fold(0, |acc, &x| (acc | u8::from(x)))
+    }
+}
+
+
 // Implementations to convert types that are not ours into their FFI representation
 
 impl CopyTo<ffi::pfvar::pf_addr_wrap> for IpNetwork {

diff --git a/tests/rules.rs b/tests/rules.rs
@@ -206,3 +206,21 @@ test!(all_state_policies {
                             "pass inet proto tcp from 192.168.1.4 to any flags any synproxy state"]
     );
 });
+
+test!(logging {
+    let mut pf = pfctl::PfCtl::new().unwrap();
+    let rule = pfctl::FilterRuleBuilder::default()
+        .action(pfctl::RuleAction::Drop)
+        .log(pfctl::RuleLogSet::new(&[
+            pfctl::RuleLog::ExcludeMatchingState,
+            pfctl::RuleLog::IncludeMatchingState,
+            pfctl::RuleLog::SocketOwner,
+        ]))
+        .build()
+        .unwrap();
+    assert_matches!(pf.add_rule(ANCHOR_NAME, &rule), Ok(()));
+    assert_matches!(
+        pfcli::get_rules(ANCHOR_NAME),
+        Ok(ref v) if v == &["block drop log (all, user) all"]
+    );
+});