Re: [PATCH] ipfw logging through tcpdump ?

From: Luigi Rizzo <rizzo_at_iet.unipi.it>
Date: Tue, 15 Dec 2009 11:39:56 +0100
On Tue, Dec 15, 2009 at 10:09:47AM +0000, Bjoern A. Zeeb wrote:
> On Tue, 15 Dec 2009, Luigi Rizzo wrote:
> 
> Hi,
> 
> >The following ipfw patch (which i wrote back in 2001/2002) makes
> >ipfw logging possible through tcpdump -- it works by passing to the
> >fake device 'ipfw0' all packets matching rules marked 'log' .
> >The use is very simple -- to test it just do
> >
> >	ipfw add 100 count log ip from any to any
> >
> >and then
> >
> >	tcpdump -ni ipfw0
> >
> >will show all matching traffic.
> >
> >I think this is a quite convenient and flexible option, so if there
> >are no objections I plan to commit it to head.
> 
> 
> pf(4) has pflog(4).   Ideally calling it the same would be good though
> I wonder if two of the the three of our firewalls grow that feature,
> if we could have a common packet logging device rather than re-doing
> it for each implementation.
> 
> Frankly,  I haven't looked at the details of the implementation but I
> found getting rul numbers with tcpdump -e etc. was pretty cool to
> identify where things were blocked or permitted.

this is something trivial which i have planned already -- stuff
10-12 bytes in the MAC header with rule numbers and actions
is surely trivial.

Thanks for the pointer to pflog, i'll look at that.

> Also make sure that the per-VIMAGE interface will work correctly and
> as expected.

On this i would like more feedback -- is there anything special
that I am supposed to do to create per-vimage interfaces ?
Could you look at the code i sent ?
"ipfw0" uses the same attach/detach code used by if_tap.

cheers
luigi

> /bz
> 
> -- 
> Bjoern A. Zeeb         It will not break if you know what you are doing.
Received on Tue Dec 15 2009 - 09:32:33 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:59 UTC