Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 20 Apr 2007 17:38:01 +0200
From:      Max Laier <max@love2party.net>
To:        freebsd-pf@freebsd.org
Subject:   Re: displaying rule labels in pf logs
Message-ID:  <200704201738.10315.max@love2party.net>
In-Reply-To: <70f41ba20704191637r3b615497ga13ebfa885db180c@mail.gmail.com>
References:  <70f41ba20704191637r3b615497ga13ebfa885db180c@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
--nextPart1921702.Q4Dh1RnMAE
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

On Friday 20 April 2007 01:37, snowcrash wrote:
> i typically tail my pf-log with "tcpdump -vvttttnei pflog0".
>
> this, of course, displays the matched "rule #", e.g.,
>
> 	2007-04-18 13:07:11.363065 rule 40/0(match): pass in on tun0: (tos
> 0x0, ttl  54, id 10, offset 0, flags [DF], proto: UDP (17), length:
> 70) 144.160.112.22.37572 > 192.168.1.53.53:  62723[|domain]
>
> is there any way to instead/additionally display a rule's "label" in
> the live log?

A small awk/perl/python/ruby/...-filter should get you running.  Simply=20
suck in "pfctl -vvsr" output and build an associative array rule# ->=20
label and then just search and replace.

> there's a patch to do this here
> (http://lists.freebsd.org/pipermail/freebsd-pf/2006-June/002278.html),
> but, iiuc, that requires me to patch-&-rebuild both tcpdump & my
> kernel ...
>
> is there an existing 'native' option to do so already 'in' pf+tcpdump?

No there isn't - and I don't think we will implement it either.  The=20
information can easily be obtained if the corresponding ruleset is=20
available and copying 64 byte additional information is a significant=20
overhead.  As variable size headers are somewhat tricky, I'm afraid this=20
is a no-go - sorry.

=2D-=20
/"\  Best regards,                      | mlaier@freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier@EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News

--nextPart1921702.Q4Dh1RnMAE
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (FreeBSD)

iD8DBQBGKN5iXyyEoT62BG0RAoxXAJ997gIMAli4se2Fyc5+gwpXR3q6DgCcCqqX
eLU4xLRx1zV1QVKyOvKlZos=
=MPR5
-----END PGP SIGNATURE-----

--nextPart1921702.Q4Dh1RnMAE--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200704201738.10315.max>