Re: Question about periodic

From: Doug White <dwhite_at_gumbysoft.com>
Date: Tue, 22 Feb 2005 10:06:16 -0800 (PST)
On Tue, 22 Feb 2005, Matteo Riondato wrote:

> Hi folks,
> I think there's a little mistake
> in /etc/periodic/security/security.functions:
>
> if check_diff() is called whith "new_only" as its first argument, as it
> is in /etc/periodic/security/520.pfdenied (and 500.ipfwdenied), it will
> use "grep '^>'" as a filter to grep only the different lines between the
> ouput of "pfctl -sr -v 2>/dev/null | nawk '{if (/^block/) {buf=$0;
> getline; gsub(" +"," ",$0); print buf$0;} }'" and /var/log/pf.today .
>
> The diff between the output and the file is done with
> diff {daily_status_security_diff_flags} /var/log/pf.today $OUTPUT
> and the filter is "piped" after this command, so we have:
>
> diff {daily_status_security_diff_flags} /var/log/pf.today $OUTPUT | grep
> '^>'
>
> but daily_status_security_diff_flags is set to "-b -u"
> in /etc/defaults/periodic.conf so there aren't lines beginning with ">",
> because we are doing an unified diff. The filter then gives no output
> and the only output of /etc/periodic/security/520.pfdenied is
>
> $HOSTNAME pf denied packets:
>
> This can be solved changing $filter from "grep '^>'" to "grep '^+'"
> in /etc/periodic/security/security.functions, line 46.

Or take the -u out of the default, which I think is the intended behavior,
looking at the commit logs.  The daily_status_security_diff_flags option
predates the pf scripts by about 3 months so I'm not sure how that got
past testing :)

Please send-pr this and poke mlaier and keramida about it.

-- 
Doug White                    |  FreeBSD: The Power to Serve
dwhite_at_gumbysoft.com          |  www.FreeBSD.org
Received on Tue Feb 22 2005 - 17:06:16 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:28 UTC