ipfw2 logging through tcpdump ?
Luigi Rizzo
rizzo at icir.org
Mon Sep 15 04:15:27 PDT 2003
having recently played a bit with largish ipfw configurations,
i would have really liked to have a more flexible logging facility
for ipfw.
It occurred to me that one way could be to extend the ipfw2
"log" option to optionally pass to a bpf listener a copy of the packets
selected by the ipfw rule (maybe with some tag showing the rule
they come from) so that one can run a tcpdump on that stream when
detailed analysis is required, and have essentially zero overhead in
other cases.
What do people think ? Implementation should be almost trivial,
amounting to creating a fake struct ifnet for ipfw2 (suitably
initialized to give it a name and pretend it is up and running and
has an address assigned), calling
bpfattach() on it, and then implement an ipfw2 instruction
which always succeeds and, if there is a listener, passes
calls bpf_mtap on the mbuf.
Does this make sense ? And, any idea on how to tag the packet with
a rule number in a way that tcpdump can filter (yes, i am looking
for dirty hacks here...)
(and speaking of dirty hacks, of course layer3 packets can be
easily prepended with a fake MAC header which includes the matching
rule number in the ether src/dst addresses, but this trick won't
work for layer2 packets, which we do care about).
cheers
luigi
More information about the freebsd-ipfw
mailing list