[PATCH] ipfw logging through tcpdump ?
rizzo at iet.unipi.it
Tue Dec 15 19:03:02 UTC 2009
On Tue, Dec 15, 2009 at 10:09:47AM +0000, Bjoern A. Zeeb wrote:
> On Tue, 15 Dec 2009, Luigi Rizzo wrote:
> >The following ipfw patch (which i wrote back in 2001/2002) makes
> >ipfw logging possible through tcpdump -- it works by passing to the
> >fake device 'ipfw0' all packets matching rules marked 'log' .
> >The use is very simple -- to test it just do
> pf(4) has pflog(4). Ideally calling it the same would be good though
> I wonder if two of the the three of our firewalls grow that feature,
> if we could have a common packet logging device rather than re-doing
> it for each implementation.
> Frankly, I haven't looked at the details of the implementation but I
> found getting rul numbers with tcpdump -e etc. was pretty cool to
> identify where things were blocked or permitted.
i checked pflog sources (contrib/pf/net/if_pflog.c) and it is almost
exactly the same thing i am doing, plus a handful of lines to prepend
a header with the metadata.
The main function, pflog_packet(), is so short and simple that
it would probably deserve going somewhere in if_ethersubr.c or
bpf<something>.c so we can use it more easily.
More information about the freebsd-current