From owner-freebsd-current@FreeBSD.ORG Tue Dec 15 19:03:02 2009 Return-Path: Delivered-To: current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 152D5106568B for ; Tue, 15 Dec 2009 19:03:02 +0000 (UTC) (envelope-from luigi@onelab2.iet.unipi.it) Received: from onelab2.iet.unipi.it (onelab2.iet.unipi.it [131.114.59.238]) by mx1.freebsd.org (Postfix) with ESMTP id CF0638FC22 for ; Tue, 15 Dec 2009 19:03:01 +0000 (UTC) Received: by onelab2.iet.unipi.it (Postfix, from userid 275) id 4E5C973098; Tue, 15 Dec 2009 20:10:26 +0100 (CET) Date: Tue, 15 Dec 2009 20:10:26 +0100 From: Luigi Rizzo To: "Bjoern A. Zeeb" Message-ID: <20091215191026.GB19841@onelab2.iet.unipi.it> References: <20091214235307.GA5345@onelab2.iet.unipi.it> <20091215095440.U86040@maildrop.int.zabbadoz.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20091215095440.U86040@maildrop.int.zabbadoz.net> User-Agent: Mutt/1.4.2.3i Cc: FreeBSD current mailing list Subject: Re: [PATCH] ipfw logging through tcpdump ? X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Dec 2009 19:03:02 -0000 On Tue, Dec 15, 2009 at 10:09:47AM +0000, Bjoern A. Zeeb wrote: > On Tue, 15 Dec 2009, Luigi Rizzo wrote: > > Hi, > > >The following ipfw patch (which i wrote back in 2001/2002) makes > >ipfw logging possible through tcpdump -- it works by passing to the > >fake device 'ipfw0' all packets matching rules marked 'log' . > >The use is very simple -- to test it just do ... > pf(4) has pflog(4). Ideally calling it the same would be good though > I wonder if two of the the three of our firewalls grow that feature, > if we could have a common packet logging device rather than re-doing > it for each implementation. > > Frankly, I haven't looked at the details of the implementation but I > found getting rul numbers with tcpdump -e etc. was pretty cool to > identify where things were blocked or permitted. i checked pflog sources (contrib/pf/net/if_pflog.c) and it is almost exactly the same thing i am doing, plus a handful of lines to prepend a header with the metadata. The main function, pflog_packet(), is so short and simple that it would probably deserve going somewhere in if_ethersubr.c or bpf.c so we can use it more easily. cheers luigi