From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 15 04:15:27 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C061116A4BF for ; Mon, 15 Sep 2003 04:15:27 -0700 (PDT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id AF2C543FE1 for ; Mon, 15 Sep 2003 04:15:26 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.8p1/8.12.3) with ESMTP id h8FBFQkN078164; Mon, 15 Sep 2003 04:15:26 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.8p1/8.12.3/Submit) id h8FBFQR7078163; Mon, 15 Sep 2003 04:15:26 -0700 (PDT) (envelope-from rizzo) Date: Mon, 15 Sep 2003 04:15:26 -0700 From: Luigi Rizzo To: ipfw@freebsd.org Message-ID: <20030915041525.B77950@xorpc.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i Subject: ipfw2 logging through tcpdump ? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Sep 2003 11:15:27 -0000 having recently played a bit with largish ipfw configurations, i would have really liked to have a more flexible logging facility for ipfw. It occurred to me that one way could be to extend the ipfw2 "log" option to optionally pass to a bpf listener a copy of the packets selected by the ipfw rule (maybe with some tag showing the rule they come from) so that one can run a tcpdump on that stream when detailed analysis is required, and have essentially zero overhead in other cases. What do people think ? Implementation should be almost trivial, amounting to creating a fake struct ifnet for ipfw2 (suitably initialized to give it a name and pretend it is up and running and has an address assigned), calling bpfattach() on it, and then implement an ipfw2 instruction which always succeeds and, if there is a listener, passes calls bpf_mtap on the mbuf. Does this make sense ? And, any idea on how to tag the packet with a rule number in a way that tcpdump can filter (yes, i am looking for dirty hacks here...) (and speaking of dirty hacks, of course layer3 packets can be easily prepended with a fake MAC header which includes the matching rule number in the ether src/dst addresses, but this trick won't work for layer2 packets, which we do care about). cheers luigi