From owner-freebsd-current@FreeBSD.ORG  Tue Dec 15 19:03:02 2009
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: current@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 152D5106568B
	for <current@freebsd.org>; Tue, 15 Dec 2009 19:03:02 +0000 (UTC)
	(envelope-from luigi@onelab2.iet.unipi.it)
Received: from onelab2.iet.unipi.it (onelab2.iet.unipi.it [131.114.59.238])
	by mx1.freebsd.org (Postfix) with ESMTP id CF0638FC22
	for <current@freebsd.org>; Tue, 15 Dec 2009 19:03:01 +0000 (UTC)
Received: by onelab2.iet.unipi.it (Postfix, from userid 275)
	id 4E5C973098; Tue, 15 Dec 2009 20:10:26 +0100 (CET)
Date: Tue, 15 Dec 2009 20:10:26 +0100
From: Luigi Rizzo <rizzo@iet.unipi.it>
To: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
Message-ID: <20091215191026.GB19841@onelab2.iet.unipi.it>
References: <20091214235307.GA5345@onelab2.iet.unipi.it>
	<20091215095440.U86040@maildrop.int.zabbadoz.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20091215095440.U86040@maildrop.int.zabbadoz.net>
User-Agent: Mutt/1.4.2.3i
Cc: FreeBSD current mailing list <current@freebsd.org>
Subject: Re: [PATCH] ipfw logging through tcpdump ?
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Dec 2009 19:03:02 -0000

On Tue, Dec 15, 2009 at 10:09:47AM +0000, Bjoern A. Zeeb wrote:
> On Tue, 15 Dec 2009, Luigi Rizzo wrote:
> 
> Hi,
> 
> >The following ipfw patch (which i wrote back in 2001/2002) makes
> >ipfw logging possible through tcpdump -- it works by passing to the
> >fake device 'ipfw0' all packets matching rules marked 'log' .
> >The use is very simple -- to test it just do
...
> pf(4) has pflog(4).   Ideally calling it the same would be good though
> I wonder if two of the the three of our firewalls grow that feature,
> if we could have a common packet logging device rather than re-doing
> it for each implementation.
> 
> Frankly,  I haven't looked at the details of the implementation but I
> found getting rul numbers with tcpdump -e etc. was pretty cool to
> identify where things were blocked or permitted.

i checked pflog sources (contrib/pf/net/if_pflog.c) and it is almost
exactly the same thing i am doing, plus a handful of lines to prepend
a header with the metadata.
The main function, pflog_packet(), is so short and simple that
it would probably deserve going somewhere in if_ethersubr.c or
bpf<something>.c so we can use it more easily.

cheers
luigi