pfdenied: support reporting on additional anchors

The security/520-pfdenied script only reports blocked packets from the
main ruleset or any blocklistd(8) anchor.

Add an option to periodic.conf(5) to make it possible to specify
additional anchors to report.

PR:		262446
Reviewed by:	kp

share/man/man5/periodic.conf.5

@@ -25,7 +25,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd March 7, 2022
+.Dd March 9, 2022
 .Dt PERIODIC.CONF 5
 .Os
 .Sh NAME
@@ -960,6 +960,13 @@ Set to
 to show log entries for packets denied by
 .Xr pf 4
 since yesterday's check.
+.It Va security_status_pfdenied_additionalanchors
+.Pq Vt str
+Space-separated list of additional anchors whose denied packets log entries to
+show.
+The main ruleset (i.e., the empty-string anchor) and any
+.Xr blacklistd 8
+anchors, if present, are always shown.
 .It Va security_status_pfdenied_period
 .Pq Vt str
 Set to either

usr.sbin/periodic/etc/security/520.pfdenied

@@ -44,7 +44,7 @@ rc=0
 if check_yesno_period security_status_pfdenied_enable
 then
 	TMP=`mktemp -t security`
-	for _a in "" $(pfctl -a "blacklistd" -sA 2>/dev/null)
+	for _a in "" $(pfctl -a "blacklistd" -sA 2>/dev/null) ${security_status_pfdenied_anchors}
 	do
 		pfctl -a "${_a}" -sr -v -z 2>/dev/null | \
 		nawk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); if ($5 > 0) print buf$0;} }' >> ${TMP}

usr.sbin/periodic/periodic.conf

@@ -298,6 +298,7 @@ security_status_ipfdenied_period="daily"
 # 520.pfdenied
 security_status_pfdenied_enable="YES"
 security_status_pfdenied_period="daily"
+security_status_pfdenied_additionalanchors=""
 
 # 550.ipfwlimit
 security_status_ipfwlimit_enable="YES"