From owner-freebsd-current@FreeBSD.ORG Wed Dec 16 19:57:01 2009 Return-Path: Delivered-To: current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 99C651065670 for ; Wed, 16 Dec 2009 19:57:01 +0000 (UTC) (envelope-from oberman@es.net) Received: from mailgw.es.net (mail1.es.net [IPv6:2001:400:201:1::2]) by mx1.freebsd.org (Postfix) with ESMTP id 7E0F08FC0A for ; Wed, 16 Dec 2009 19:57:01 +0000 (UTC) Received: from ptavv.es.net (ptavv.es.net [IPv6:2001:400:910::29]) by mailgw.es.net (8.14.3/8.14.3) with ESMTP id nBGJutTu014182 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 16 Dec 2009 11:56:56 -0800 Received: from ptavv.es.net (localhost [127.0.0.1]) by ptavv.es.net (Tachyon Server) with ESMTP id E37FA1CC0C; Wed, 16 Dec 2009 11:56:55 -0800 (PST) To: Julian Elischer In-reply-to: Your message of "Tue, 15 Dec 2009 09:06:04 PST." <4B27C1FC.5030800@elischer.org> Date: Wed, 16 Dec 2009 11:56:55 -0800 From: "Kevin Oberman" Message-Id: <20091216195655.E37FA1CC0C@ptavv.es.net> X-Proofpoint-Virus-Version: vendor=fsecure engine=1.12.8161:2.4.5, 1.2.40, 4.0.166 definitions=2009-12-16_10:2009-12-12, 2009-12-16, 2009-12-16 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 ipscore=0 phishscore=0 bulkscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx engine=5.0.0-0908210000 definitions=main-0912160158 Cc: "Bjoern A. Zeeb" , Luigi Rizzo , FreeBSD current mailing list Subject: Re: [PATCH] ipfw logging through tcpdump ? X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Dec 2009 19:57:01 -0000 > Date: Tue, 15 Dec 2009 09:06:04 -0800 > From: Julian Elischer > Sender: owner-freebsd-current@freebsd.org > > Luigi Rizzo wrote: > > On Tue, Dec 15, 2009 at 10:09:47AM +0000, Bjoern A. Zeeb wrote: > >> On Tue, 15 Dec 2009, Luigi Rizzo wrote: > >> > >> Hi, > >> > >>> The following ipfw patch (which i wrote back in 2001/2002) makes > >>> ipfw logging possible through tcpdump -- it works by passing to the > >>> fake device 'ipfw0' all packets matching rules marked 'log' . > >>> The use is very simple -- to test it just do > >>> > >>> ipfw add 100 count log ip from any to any > >>> > >>> and then > >>> > >>> tcpdump -ni ipfw0 > >>> > >>> will show all matching traffic. > >>> > >>> I think this is a quite convenient and flexible option, so if there > >>> are no objections I plan to commit it to head. > >> > >> pf(4) has pflog(4). Ideally calling it the same would be good though > >> I wonder if two of the the three of our firewalls grow that feature, > >> if we could have a common packet logging device rather than re-doing > >> it for each implementation. > >> > >> Frankly, I haven't looked at the details of the implementation but I > >> found getting rul numbers with tcpdump -e etc. was pretty cool to > >> identify where things were blocked or permitted. > > > > this is something trivial which i have planned already -- stuff > > 10-12 bytes in the MAC header with rule numbers and actions > > is surely trivial. > > > > Thanks for the pointer to pflog, i'll look at that. > > > >> Also make sure that the per-VIMAGE interface will work correctly and > >> as expected. > > > > On this i would like more feedback -- is there anything special > > that I am supposed to do to create per-vimage interfaces ? > > Could you look at the code i sent ? > > "ipfw0" uses the same attach/detach code used by if_tap. > > > I'm not sure we should do everything just because we can. > it gives us nothing that we can't already get. you can filter using > ipfw netgraph -> netgraph bpf -> ng_socket > you can efficiently capture packets with divert (or tee) > you can write to pcap files using phk's program. While I agree with the sentiment, the proposal is so simple and elegant and so easy to use that I think it would be crazy to not do it. It's just much easier to use on an impromptu basis than doing the netgraph stuff (except for those who do lots of netgraph). -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman@es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751