svn commit: r213810 - head/sbin/ipfw
Luigi Rizzo
luigi at FreeBSD.org
Wed Oct 13 22:07:58 UTC 2010
Author: luigi
Date: Wed Oct 13 22:07:57 2010
New Revision: 213810
URL: http://svn.freebsd.org/changeset/base/213810
Log:
document logging through bpf
Modified:
head/sbin/ipfw/ipfw.8
Modified: head/sbin/ipfw/ipfw.8
==============================================================================
--- head/sbin/ipfw/ipfw.8 Wed Oct 13 22:04:55 2010 (r213809)
+++ head/sbin/ipfw/ipfw.8 Wed Oct 13 22:07:57 2010 (r213810)
@@ -557,28 +557,33 @@ packet delivery.
Note: this condition is checked before any other condition, including
ones such as keep-state or check-state which might have side effects.
.It Cm log Op Cm logamount Ar number
-When a packet matches a rule with the
+Packets matching a rule with the
.Cm log
-keyword, a message will be
-logged to
+keyword will be made available for logging in two ways:
+if the sysctl variable
+.Va net.inet.ip.fw.verbose
+is set to 0 (default), one can use
+.Xr bpf 4
+attached to the
+.Xr ipfw0
+pseudo interface. There is no overhead if no
+.Xr bpf
+is attached to the pseudo interface.
+.Pp
+If
+.Va net.inet.ip.fw.verbose
+is set to 1, packets will be logged to
.Xr syslogd 8
with a
.Dv LOG_SECURITY
-facility.
-The logging only occurs if the sysctl variable
-.Va net.inet.ip.fw.verbose
-is set to 1
-(which is the default when the kernel is compiled with
-.Dv IPFIREWALL_VERBOSE )
-and the number of packets logged so far for that
-particular rule does not exceed the
+facility up to a maximum of
.Cm logamount
-parameter.
+packets.
If no
.Cm logamount
is specified, the limit is taken from the sysctl variable
.Va net.inet.ip.fw.verbose_limit .
-In both cases, a value of 0 removes the logging limit.
+In both cases, a value of 0 means unlimited logging.
.Pp
Once the limit is reached, logging can be re-enabled by
clearing the logging counter or the packet counter for that entry, see the
More information about the svn-src-head
mailing list