From owner-freebsd-net@FreeBSD.ORG Tue Aug 5 06:39:27 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CF2D337B401 for ; Tue, 5 Aug 2003 06:39:27 -0700 (PDT) Received: from topaz.ad1810.com (topaz.ad1810.com [212.204.230.141]) by mx1.FreeBSD.org (Postfix) with ESMTP id F006743FA3 for ; Tue, 5 Aug 2003 06:39:26 -0700 (PDT) (envelope-from edwin@mavetju.org) Received: from localhost ([127.0.0.1] helo=k7.mavetju ident=edwin) by topaz.ad1810.com with esmtp (Exim 3.35 #1 (Debian)) id 19k229-0002bc-00 for ; Tue, 05 Aug 2003 15:39:26 +0200 Received: by k7.mavetju (Postfix, from userid 1001) id 0899A6A7101; Tue, 5 Aug 2003 23:39:23 +1000 (EST) Date: Tue, 5 Aug 2003 23:39:23 +1000 From: Edwin Groothuis To: freebsd-net@freebsd.org Message-ID: <20030805133922.GA7713@k7.mavetju> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.1i Subject: bpf, ipfw and before-and-after X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Aug 2003 13:39:28 -0000 Greetings, This afternoon I ran into the ever lasting of "bpf runs before ipfw" problem again: when you run tcpdump and you get all the rubbish coming from the public internet into an interface, while all I wanted to see was how much traffic was actually going past the ipfw rules. Looking through the code of sys/net/if_ethersubr.c, I thought this could be solved pretty easy: The second thing ether_input() does is checking for ifp->ip_bpf and calling bpf_mtap(). If that call could be repeated in ether_demux() after ether_ipfw_chk() is checked, and bpf_mtap() did have a way to determine wether it should print the first or the second one[*], this would solve the problem for the incoming packets. For outgoing packets, the call to bpf_mtap() is done in the driver of the cards, but the check for ipfw is done in ether_output_frame(), so it could be done in that routine anyway. [*] During the opening of the bpf-device, it could check for a sysctl-setting or something so it knows wether it has to print the before-ipfw or the behind-ipfw packets. Further bpf_mtap() should have a third parameter, stating whether it was a before-ipfw packet or an behind-ipfw or a I-don't-care-about-ipfw packet so that the function knows if it has to do something with them. For non ethernet-driver I'm not sure how to do this yet, but I'm sure there is a way to figure it out. Now my question to you guys is, does what I want or what I describe here make a little bit sense? Or am I totally going the wrong way? Or has this topic already been discussed multiple times and decided not to do it? Maybe there is somebody thinks this is a cool thing and wants to help me with adding it to the system? Edwin -- Edwin Groothuis edwin@freebsd.org