From owner-freebsd-current@FreeBSD.ORG Tue Dec 15 17:05:54 2009 Return-Path: Delivered-To: current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 24128106568F for ; Tue, 15 Dec 2009 17:05:54 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outU.internet-mail-service.net (outu.internet-mail-service.net [216.240.47.244]) by mx1.freebsd.org (Postfix) with ESMTP id 078FB8FC1F for ; Tue, 15 Dec 2009 17:05:52 +0000 (UTC) Received: from idiom.com (mx0.idiom.com [216.240.32.160]) by out.internet-mail-service.net (Postfix) with ESMTP id 7DC3844441; Tue, 15 Dec 2009 09:05:52 -0800 (PST) X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e Received: from julian-mac.elischer.org (h-67-100-89-137.snfccasy.static.covad.net [67.100.89.137]) by idiom.com (Postfix) with ESMTP id AA90B2D6014; Tue, 15 Dec 2009 09:05:51 -0800 (PST) Message-ID: <4B27C1FC.5030800@elischer.org> Date: Tue, 15 Dec 2009 09:06:04 -0800 From: Julian Elischer User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812) MIME-Version: 1.0 To: Luigi Rizzo References: <20091214235307.GA5345@onelab2.iet.unipi.it> <20091215095440.U86040@maildrop.int.zabbadoz.net> <20091215103956.GA14068@onelab2.iet.unipi.it> In-Reply-To: <20091215103956.GA14068@onelab2.iet.unipi.it> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: "Bjoern A. Zeeb" , FreeBSD current mailing list Subject: Re: [PATCH] ipfw logging through tcpdump ? X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Dec 2009 17:05:54 -0000 Luigi Rizzo wrote: > On Tue, Dec 15, 2009 at 10:09:47AM +0000, Bjoern A. Zeeb wrote: >> On Tue, 15 Dec 2009, Luigi Rizzo wrote: >> >> Hi, >> >>> The following ipfw patch (which i wrote back in 2001/2002) makes >>> ipfw logging possible through tcpdump -- it works by passing to the >>> fake device 'ipfw0' all packets matching rules marked 'log' . >>> The use is very simple -- to test it just do >>> >>> ipfw add 100 count log ip from any to any >>> >>> and then >>> >>> tcpdump -ni ipfw0 >>> >>> will show all matching traffic. >>> >>> I think this is a quite convenient and flexible option, so if there >>> are no objections I plan to commit it to head. >> >> pf(4) has pflog(4). Ideally calling it the same would be good though >> I wonder if two of the the three of our firewalls grow that feature, >> if we could have a common packet logging device rather than re-doing >> it for each implementation. >> >> Frankly, I haven't looked at the details of the implementation but I >> found getting rul numbers with tcpdump -e etc. was pretty cool to >> identify where things were blocked or permitted. > > this is something trivial which i have planned already -- stuff > 10-12 bytes in the MAC header with rule numbers and actions > is surely trivial. > > Thanks for the pointer to pflog, i'll look at that. > >> Also make sure that the per-VIMAGE interface will work correctly and >> as expected. > > On this i would like more feedback -- is there anything special > that I am supposed to do to create per-vimage interfaces ? > Could you look at the code i sent ? > "ipfw0" uses the same attach/detach code used by if_tap. I'm not sure we should do everything just because we can. it gives us nothing that we can't already get. you can filter using ipfw netgraph -> netgraph bpf -> ng_socket you can efficiently capture packets with divert (or tee) you can write to pcap files using phk's program. > > cheers > luigi > >> /bz >> >> -- >> Bjoern A. Zeeb It will not break if you know what you are doing. > _______________________________________________ > freebsd-current@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"