bpf, ipfw and before-and-after
Edwin Groothuis
edwin at freebsd.org
Tue Aug 5 06:39:28 PDT 2003
Greetings,
This afternoon I ran into the ever lasting of "bpf runs before ipfw"
problem again: when you run tcpdump and you get all the rubbish
coming from the public internet into an interface, while all I
wanted to see was how much traffic was actually going past the ipfw
rules.
Looking through the code of sys/net/if_ethersubr.c, I thought this
could be solved pretty easy: The second thing ether_input() does
is checking for ifp->ip_bpf and calling bpf_mtap(). If that call
could be repeated in ether_demux() after ether_ipfw_chk() is checked,
and bpf_mtap() did have a way to determine wether it should print
the first or the second one[*], this would solve the problem for
the incoming packets.
For outgoing packets, the call to bpf_mtap() is done in the driver
of the cards, but the check for ipfw is done in ether_output_frame(),
so it could be done in that routine anyway.
[*] During the opening of the bpf-device, it could check for a
sysctl-setting or something so it knows wether it has to print
the before-ipfw or the behind-ipfw packets. Further bpf_mtap()
should have a third parameter, stating whether it was a before-ipfw
packet or an behind-ipfw or a I-don't-care-about-ipfw packet
so that the function knows if it has to do something with them.
For non ethernet-driver I'm not sure how to do this yet, but I'm
sure there is a way to figure it out.
Now my question to you guys is, does what I want or what I describe
here make a little bit sense? Or am I totally going the wrong way?
Or has this topic already been discussed multiple times and decided
not to do it? Maybe there is somebody thinks this is a cool thing
and wants to help me with adding it to the system?
Edwin
--
Edwin Groothuis
edwin at freebsd.org
More information about the freebsd-net
mailing list