On Tue, Dec 15, 2009 at 10:09:47AM +0000, Bjoern A. Zeeb wrote: > On Tue, 15 Dec 2009, Luigi Rizzo wrote: > > Hi, > > >The following ipfw patch (which i wrote back in 2001/2002) makes > >ipfw logging possible through tcpdump -- it works by passing to the > >fake device 'ipfw0' all packets matching rules marked 'log' . > >The use is very simple -- to test it just do > > > > ipfw add 100 count log ip from any to any > > > >and then > > > > tcpdump -ni ipfw0 > > > >will show all matching traffic. > > > >I think this is a quite convenient and flexible option, so if there > >are no objections I plan to commit it to head. > > > pf(4) has pflog(4). Ideally calling it the same would be good though > I wonder if two of the the three of our firewalls grow that feature, > if we could have a common packet logging device rather than re-doing > it for each implementation. > > Frankly, I haven't looked at the details of the implementation but I > found getting rul numbers with tcpdump -e etc. was pretty cool to > identify where things were blocked or permitted. this is something trivial which i have planned already -- stuff 10-12 bytes in the MAC header with rule numbers and actions is surely trivial. Thanks for the pointer to pflog, i'll look at that. > Also make sure that the per-VIMAGE interface will work correctly and > as expected. On this i would like more feedback -- is there anything special that I am supposed to do to create per-vimage interfaces ? Could you look at the code i sent ? "ipfw0" uses the same attach/detach code used by if_tap. cheers luigi > /bz > > -- > Bjoern A. Zeeb It will not break if you know what you are doing.Received on Tue Dec 15 2009 - 09:32:33 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:59 UTC