Respect pf rule log option before log dropped packets with IP options or

dangerous v6 headers Reviewed by: gnn, eri Approved by: gnn Obtained from: pfSense MFC after: 3 days Sponsored by: Netgate Differential Revision: https://reviews.freebsd.org/D3222
author: garga <garga@FreeBSD.org> 2015-07-28 10:31:34 +0000
committer: garga <garga@FreeBSD.org> 2015-07-28 10:31:34 +0000
commit: e348ebeae9c4d64e7b54ea17ae7468cc91a3af71 (patch)
tree: e4f3e61d99232fd19cd2c05e27824d8721296ed4 /sys/netpfil
parent: 90f99cb0991cfa4a276b211eda75788855eea1dd (diff)
download: FreeBSD-src-e348ebeae9c4d64e7b54ea17ae7468cc91a3af71.zip
FreeBSD-src-e348ebeae9c4d64e7b54ea17ae7468cc91a3af71.tar.gz
1 files changed, 4 insertions, 2 deletions
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 122f026..49781a8 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -5895,7 +5895,8 @@ done:
 	    !((s && s->state_flags & PFSTATE_ALLOWOPTS) || r->allow_opts)) {
 		action = PF_DROP;
 		REASON_SET(&reason, PFRES_IPOPTIONS);
-		log = 1;
+		if (r->log)
+			log = 1;
 		DPFPRINTF(PF_DEBUG_MISC,
 		    ("pf: dropping packet with ip options\n"));
 	}
@@ -6329,7 +6330,8 @@ done:
 	    !((s && s->state_flags & PFSTATE_ALLOWOPTS) || r->allow_opts)) {
 		action = PF_DROP;
 		REASON_SET(&reason, PFRES_IPOPTIONS);
-		log = 1;
+		if (r->log)
+			log = 1;
 		DPFPRINTF(PF_DEBUG_MISC,
 		    ("pf: dropping packet with dangerous v6 headers\n"));
 	}
author	garga <garga@FreeBSD.org>	2015-07-28 10:31:34 +0000
committer	garga <garga@FreeBSD.org>	2015-07-28 10:31:34 +0000
commit	e348ebeae9c4d64e7b54ea17ae7468cc91a3af71 (patch)
tree	e4f3e61d99232fd19cd2c05e27824d8721296ed4 /sys/netpfil
parent	90f99cb0991cfa4a276b211eda75788855eea1dd (diff)
download	FreeBSD-src-e348ebeae9c4d64e7b54ea17ae7468cc91a3af71.zip FreeBSD-src-e348ebeae9c4d64e7b54ea17ae7468cc91a3af71.tar.gz