This patch adds SDT probe to ipfw_chk() function. It helps to reduce complexity with debugging large ipfw rulesets.
Some examples.
- Find the rule that accepts or blocks packets from some IP address.
ipfw:::rule-matched /inet_ntop(args[1], args[2]) == "10.9.8.3"/ { a = xlate <ipfw_match_info_t>(args[4]); printf("Rule %d matched ret code %s (%d): %s %d -> %s %d proto %d", args[5]->rulenum, ipfw_retcodes[args[0]], args[0], inet_ntop(args[1], args[2]), a.src_port, inet_ntop(args[1], args[3]), a.dst_port, a.proto); }
- Trace some IPv6 tcp packets
ipfw:::rule-matched /args[1] == AF_INET6 && args[4]->f_id.proto == IPPROTO_TCP / { a = xlate <ipfw_match_info_t>(args[4]); printf("Rule %d matched ret code %s (%d): %s %d -> %s %d proto %d %s %s", args[5]->rulenum, ipfw_retcodes[args[0]], args[0], inet_ntop(args[1], args[2]), a.src_port, inet_ntop(args[1], args[3]), a.dst_port, a.proto, (a.flags & IPFW_ARGS_IN) ? "in recv": "out xmit", stringof(a.ifp->if_xname)); }
- Print info from IPv6 header from packet matched by rule 1015
ipfw:::rule-matched /args[1] == AF_INET6 && args[5]->rulenum == 1015/ { a = xlate <ipfw_match_info_t>(args[4]); ip6 = xlate <ipv6info_t>(a.ip6p); printf("Rule %d matched ret code %s: %s -> %s proto %d plen %d %s %s", args[5]->rulenum, ipfw_retcodes[args[0]], inet_ntop(args[1], args[2]), inet_ntop(args[1], args[3]), a.proto, ip6.ipv6_plen, (a.flags & IPFW_ARGS_IN) ? "in recv": "out xmit", stringof(a.ifp->if_xname)); }