Luigi Rizzo wrote: > On Tue, Dec 15, 2009 at 10:09:47AM +0000, Bjoern A. Zeeb wrote: >> On Tue, 15 Dec 2009, Luigi Rizzo wrote: >> >> Hi, >> >>> The following ipfw patch (which i wrote back in 2001/2002) makes >>> ipfw logging possible through tcpdump -- it works by passing to the >>> fake device 'ipfw0' all packets matching rules marked 'log' . >>> The use is very simple -- to test it just do >>> >>> ipfw add 100 count log ip from any to any >>> >>> and then >>> >>> tcpdump -ni ipfw0 >>> >>> will show all matching traffic. >>> >>> I think this is a quite convenient and flexible option, so if there >>> are no objections I plan to commit it to head. >> >> pf(4) has pflog(4). Ideally calling it the same would be good though >> I wonder if two of the the three of our firewalls grow that feature, >> if we could have a common packet logging device rather than re-doing >> it for each implementation. >> >> Frankly, I haven't looked at the details of the implementation but I >> found getting rul numbers with tcpdump -e etc. was pretty cool to >> identify where things were blocked or permitted. > > this is something trivial which i have planned already -- stuff > 10-12 bytes in the MAC header with rule numbers and actions > is surely trivial. > > Thanks for the pointer to pflog, i'll look at that. > >> Also make sure that the per-VIMAGE interface will work correctly and >> as expected. > > On this i would like more feedback -- is there anything special > that I am supposed to do to create per-vimage interfaces ? > Could you look at the code i sent ? > "ipfw0" uses the same attach/detach code used by if_tap. I'm not sure we should do everything just because we can. it gives us nothing that we can't already get. you can filter using ipfw netgraph -> netgraph bpf -> ng_socket you can efficiently capture packets with divert (or tee) you can write to pcap files using phk's program. > > cheers > luigi > >> /bz >> >> -- >> Bjoern A. Zeeb It will not break if you know what you are doing. > _______________________________________________ > freebsd-current_at_freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscribe_at_freebsd.org"Received on Tue Dec 15 2009 - 16:05:54 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:59 UTC