[PATCH] ipfw logging through tcpdump ?
rizzo at iet.unipi.it
Tue Dec 15 10:32:34 UTC 2009
On Tue, Dec 15, 2009 at 10:09:47AM +0000, Bjoern A. Zeeb wrote:
> On Tue, 15 Dec 2009, Luigi Rizzo wrote:
> >The following ipfw patch (which i wrote back in 2001/2002) makes
> >ipfw logging possible through tcpdump -- it works by passing to the
> >fake device 'ipfw0' all packets matching rules marked 'log' .
> >The use is very simple -- to test it just do
> > ipfw add 100 count log ip from any to any
> >and then
> > tcpdump -ni ipfw0
> >will show all matching traffic.
> >I think this is a quite convenient and flexible option, so if there
> >are no objections I plan to commit it to head.
> pf(4) has pflog(4). Ideally calling it the same would be good though
> I wonder if two of the the three of our firewalls grow that feature,
> if we could have a common packet logging device rather than re-doing
> it for each implementation.
> Frankly, I haven't looked at the details of the implementation but I
> found getting rul numbers with tcpdump -e etc. was pretty cool to
> identify where things were blocked or permitted.
this is something trivial which i have planned already -- stuff
10-12 bytes in the MAC header with rule numbers and actions
is surely trivial.
Thanks for the pointer to pflog, i'll look at that.
> Also make sure that the per-VIMAGE interface will work correctly and
> as expected.
On this i would like more feedback -- is there anything special
that I am supposed to do to create per-vimage interfaces ?
Could you look at the code i sent ?
"ipfw0" uses the same attach/detach code used by if_tap.
> Bjoern A. Zeeb It will not break if you know what you are doing.
More information about the freebsd-current