diff options
| author | Gleb Smirnoff <glebius@FreeBSD.org> | 2025-12-15 12:51:51 -0800 |
|---|---|---|
| committer | Gleb Smirnoff <glebius@FreeBSD.org> | 2025-12-15 13:17:23 -0800 |
| commit | 3daae1ac1d82ecdcd855101bab5206e914b12350 (patch) | |
| tree | 9c67e429e0a41acb733c5c2dd53866b39251affe /sbin | |
| parent | 1c5021f5251b231b614ad9cd175bcb4250495c12 (diff) | |
ipfw: create a bpf tap point for every log rule
Dynamically allocate bpf tap points for every rule that has "log".
The name is "ipfw%u", where %u is substituted to the rule number.
The default catch all "ipfw0" tap still exists for compatibility
and it will catch packets in case if there are no bpf listeners
on a per-rule tap.
Reviewed by: ae
Differential Revision: https://reviews.freebsd.org/D53877
Diffstat (limited to 'sbin')
| -rw-r--r-- | sbin/ipfw/ipfw.8 | 31 | ||||
| -rw-r--r-- | sbin/ipfw/ipfw2.c | 7 |
2 files changed, 26 insertions, 12 deletions
diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8 index 789512e5cc1e..7a81c84de3e4 100644 --- a/sbin/ipfw/ipfw.8 +++ b/sbin/ipfw/ipfw.8 @@ -1,5 +1,5 @@ .\" -.Dd December 4, 2025 +.Dd December 10, 2025 .Dt IPFW 8 .Os .Sh NAME @@ -704,7 +704,18 @@ option (see below), packets are logged in two ways: if the sysctl variable is set to 0 (default), one can use the .Xr bpf 4 tap named -.Li ipfw0 . +.Li ipfwXXXXX , +where XXXXX is the number of the rule that has the +.Cm log +keyword. +The compatibility +.Xr bpf 4 +tap named +.Li ipfw0 +still exists. +It will catch packets in case if there are no +.Xr bpf 4 +listener(s) on a per-rule tap. There is zero overhead when no .Xr bpf 4 listener is attached to the tap. @@ -746,10 +757,12 @@ Logs a packet to with a .Dv LOG_SECURITY facility. -.It Ar ipfw0 +.It Ar bpf Logs a packet to the -.Li ipfw0 -pseudo interface. +.Xr bpf 4 +tap named +.Li ipfwXXXXX , +where XXXXX is the rule number. .It Ar rtsock Logs a packet to the .Xr route 4 @@ -769,7 +782,7 @@ I.e. A packet matching a rule with .Cm log logamount 100 .Cm logdst -syslog,ipfw0 ... +syslog,bpf ... .Ed .Pp will log upto 50 packets. @@ -3663,9 +3676,9 @@ Default value is .It Cm log Turn on logging of all handled packets via BPF tap named .Ar ipfwlog0 . -Note that it has different purpose than -.Ar ipfw0 -tap. +Note that it has different purpose than per-rule +.Xr bpf 4 +taps. Translators sends to BPF an additional information with each packet. With .Cm tcpdump diff --git a/sbin/ipfw/ipfw2.c b/sbin/ipfw/ipfw2.c index 27ccaea2c78f..26baa596cc89 100644 --- a/sbin/ipfw/ipfw2.c +++ b/sbin/ipfw/ipfw2.c @@ -2013,7 +2013,7 @@ print_logdst(struct buf_pr *bp, uint16_t arg1) comma = ","; } if (arg1 & IPFW_LOG_IPFW0) { - bprintf(bp, "%sipfw0", comma); + bprintf(bp, "%sbpf", comma); comma = ","; } if (arg1 & IPFW_LOG_RTSOCK) { @@ -4066,8 +4066,9 @@ parse_logdst(char *logdst_iter) ret |= IPFW_LOG_SYSLOG; continue; } - if (_substrcmp(token, "ipfw0") == 0) { - /* XXX add multiple ipfw* */ + /* ipfw0 is compatibility keyword. */ + if (_substrcmp(token, "bpf") == 0 || + _substrcmp(token, "ipfw0") == 0) { ret |= IPFW_LOG_IPFW0; continue; } |