firewall: add automatic outbound NAT logging option

This is largely for testing our NAT log patch, but might be
useful for someone.

Inline filterlog restart since it uses syslog() and does not
need to be restarted when syslog settings change.

src/etc/inc/filter.inc

@@ -92,25 +92,6 @@ function filter_rules_sort()
     }
 }
 
-function filter_pflog_start($verbose = false)
-{
-    if ($verbose) {
-        echo 'Starting PFLOG...';
-        flush();
-    }
-
-    killbypid('/var/run/filterlog.pid', 'TERM', true);
-
-    /* enable permanent promiscuous mode to avoid dmesg noise */
-    mwexec('/sbin/ifconfig pflog0 promisc');
-
-    mwexec('/usr/local/sbin/filterlog -i pflog0 -p /var/run/filterlog.pid');
-
-    if ($verbose) {
-        echo "done.\n";
-    }
-}
-
 function filter_configure()
 {
     /*
@@ -282,12 +263,13 @@ function filter_configure_sync($verbose = false, $load_aliases = true)
             if (substr($ifcfg['if'], 0, 4) != 'ovpn' && !empty($ifcfg['gateway'])) {
                 foreach (array(500, null) as $dstport) {
                     $rule = array(
-                        "interface" => $intf,
-                        "dstport" => $dstport,
-                        "staticnatport" => !empty($dstport),
-                        "destination" => array("any" => true),
-                        "ipprotocol" => 'inet',
-                        "descr" => "Automatic outbound rule"
+                        'descr' => 'Automatic outbound rule',
+                        'destination' => array('any' => true),
+                        'dstport' => $dstport,
+                        'interface' => $intf,
+                        'ipprotocol' => 'inet',
+                        'log' => !empty($config['syslog']['logoutboundnat']),
+                        'staticnatport' => !empty($dstport),
                     );
                     foreach ($intfv4 as $network) {
                         $rule['source'] = array("network" => $network);
@@ -544,10 +526,20 @@ function filter_configure_sync($verbose = false, $load_aliases = true)
     }
 
     if ($verbose) {
-        echo "done.\n";
+        echo '.';
+        flush();
     }
 
-    filter_pflog_start($verbose);
+    /* enable permanent promiscuous mode to avoid dmesg noise */
+    mwexec('/sbin/ifconfig pflog0 promisc');
+
+    /* bring up new instance of filterlog to load new rules */
+    killbypid('/var/run/filterlog.pid', 'TERM', true);
+    mwexec('/usr/local/sbin/filterlog -i pflog0 -p /var/run/filterlog.pid');
+
+    if ($verbose) {
+        echo "done.\n";
+    }
 
     unlock($filterlck);
 }

src/www/diag_logs_settings.php

@@ -65,6 +65,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
     $pconfig['logdefaultpass'] = empty($config['syslog']['nologdefaultpass']);
     $pconfig['logbogons'] = empty($config['syslog']['nologbogons']);
     $pconfig['logprivatenets'] = empty($config['syslog']['nologprivatenets']);
+    $pconfig['logoutboundnat'] = !empty($config['syslog']['logoutboundnat']);
     $pconfig['loglighttpd'] = empty($config['syslog']['nologlighttpd']);
     $pconfig['disablelocallogging'] = isset($config['syslog']['disablelocallogging']);
 } elseif ($_SERVER['REQUEST_METHOD'] === 'POST') {
@@ -110,10 +111,12 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
             $oldnologbogons = isset($config['syslog']['nologbogons']);
             $oldnologprivatenets = isset($config['syslog']['nologprivatenets']);
             $oldnologlighttpd = isset($config['syslog']['nologlighttpd']);
+            $oldlogoutboundnat = isset($config['syslog']['logoutboundnat']);
             $config['syslog']['nologdefaultblock'] = empty($pconfig['logdefaultblock']);
             $config['syslog']['nologdefaultpass'] = empty($pconfig['logdefaultpass']);
             $config['syslog']['nologbogons'] = empty($pconfig['logbogons']);
             $config['syslog']['nologprivatenets'] = empty($pconfig['logprivatenets']);
+            $config['syslog']['logoutboundnat'] = !empty($pconfig['logoutboundnat']);
             $config['syslog']['nologlighttpd'] = empty($pconfig['loglighttpd']);
 
             write_config();
@@ -123,6 +126,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
             if (($oldnologdefaultblock !== isset($config['syslog']['nologdefaultblock']))
               || ($oldnologdefaultpass !== isset($config['syslog']['nologdefaultpass']))
               || ($oldnologbogons !== isset($config['syslog']['nologbogons']))
+              || ($oldlogoutboundnat !== isset($config['syslog']['logoutboundnat']))
               || ($oldnologprivatenets !== isset($config['syslog']['nologprivatenets']))) {
               filter_configure();
             }
@@ -134,8 +138,6 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
                 configd_run('webgui restart 2', true);
                 $savemsg .= "<br />" . gettext("WebGUI process is restarting.");
             }
-
-            filter_pflog_start();
         }
     }
 }
@@ -261,6 +263,13 @@ $(document).ready(function() {
                       </div>
                     </td>
                   </tr>
+                  <tr>
+                    <td></td>
+                    <td>
+                      <input name="logoutboundnat" type="checkbox" id="logoutboundnat" value="yes" <?php if ($pconfig['logoutboundnat']) echo "checked=\"checked\""; ?> />
+                      <?= gettext('Log packets processed by automatic outbound NAT rules') ?>
+                    </td>
+                  </tr>
                   <tr>
                     <td></td>
                     <td>