displaying rule labels in pf logs
Max Laier
max at love2party.net
Fri Apr 20 15:38:16 UTC 2007
On Friday 20 April 2007 01:37, snowcrash wrote:
> i typically tail my pf-log with "tcpdump -vvttttnei pflog0".
>
> this, of course, displays the matched "rule #", e.g.,
>
> 2007-04-18 13:07:11.363065 rule 40/0(match): pass in on tun0: (tos
> 0x0, ttl 54, id 10, offset 0, flags [DF], proto: UDP (17), length:
> 70) 144.160.112.22.37572 > 192.168.1.53.53: 62723[|domain]
>
> is there any way to instead/additionally display a rule's "label" in
> the live log?
A small awk/perl/python/ruby/...-filter should get you running. Simply
suck in "pfctl -vvsr" output and build an associative array rule# ->
label and then just search and replace.
> there's a patch to do this here
> (http://lists.freebsd.org/pipermail/freebsd-pf/2006-June/002278.html),
> but, iiuc, that requires me to patch-&-rebuild both tcpdump & my
> kernel ...
>
> is there an existing 'native' option to do so already 'in' pf+tcpdump?
No there isn't - and I don't think we will implement it either. The
information can easily be obtained if the corresponding ruleset is
available and copying 64 byte additional information is a significant
overhead. As variable size headers are somewhat tricky, I'm afraid this
is a no-go - sorry.
--
/"\ Best regards, | mlaier at freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier at EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20070420/2b252f95/attachment.pgp
More information about the freebsd-pf
mailing list