[PATCH] ipfw logging through tcpdump ?

Luigi Rizzo rizzo at iet.unipi.it
Tue Dec 15 18:52:02 UTC 2009

On Tue, Dec 15, 2009 at 09:06:04AM -0800, Julian Elischer wrote:
> Luigi Rizzo wrote:
> >>>The following ipfw patch (which i wrote back in 2001/2002) makes
> >>>ipfw logging possible through tcpdump -- it works by passing to the
> >>>fake device 'ipfw0' all packets matching rules marked 'log' .
> >>>The use is very simple -- to test it just do
> >>>
> >>>	ipfw add 100 count log ip from any to any
> >>>
> >>>and then
> >>>
> >>>	tcpdump -ni ipfw0
> >>>
> >>>will show all matching traffic.
> >>>
> >>>I think this is a quite convenient and flexible option, so if there
> >>>are no objections I plan to commit it to head.
> I'm not sure we should do everything just because we can.
> it gives us nothing that we can't already get. you can filter using
> ipfw netgraph -> netgraph bpf -> ng_socket
> you can efficiently capture packets with divert (or tee)
> you can write to pcap files using phk's program.

it's not "because we can", it is "because it costs almost nothing
and gives new functionality".
The cost is just 30 lines of code (including comments) and one extra
compare on matching packets (those for which you already enabled
the 'log' option, so were prepared to pay the price of logging.

Most importantly, you don't need to change the existing ipfw configs.
That is, in my opinion, the main advantage.


More information about the freebsd-current mailing list