Page MenuHomeFreeBSD
Differential D53877

ipfw: create a bpf tap point for every log rule
ClosedPublic
Actions

Authored by glebius on Nov 21 2025, 10:59 PM.
Tags
None
Referenced Files
Unknown Object (File)
Fri, Jan 9, 7:10 AM
Unknown Object (File)
Fri, Jan 9, 5:32 AM
Unknown Object (File)
Thu, Jan 1, 6:26 AM
Unknown Object (File)
Sat, Dec 27, 9:38 PM
Unknown Object (File)
Fri, Dec 26, 11:21 PM
Unknown Object (File)
Sun, Dec 21, 9:33 PM
Unknown Object (File)
Sun, Dec 21, 2:05 PM
Unknown Object (File)
Dec 1 2025, 5:41 PM
View All 21 Files
Subscribers
ae
donner
imp
melifaro
p.mousavizadeh_protonmail.com
vegeta_tuxpowered.net
ziaee

Details

Reviewers
ae
lytboris_gmail.com
Group Reviewers
network
Commits
rG3daae1ac1d82: ipfw: create a bpf tap point for every log rule
Summary

Dynamically allocate bpf tap points for every rule that has "log".
The name is "ipfw%u", where %u is substituted to the rule number.
The default catch all "ipfw0" tap still exists for compatibility
and it will catch packets in case if there are no bpf listeners
on a per-rule tap.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

glebius created this revision.Nov 21 2025, 10:59 PM
Herald added subscribers: vegeta_tuxpowered.net, donner, melifaro and 2 others. · View Herald TranscriptNov 21 2025, 10:59 PM
glebius requested review of this revision.Nov 21 2025, 10:59 PM
Harbormaster completed remote builds in B68803: Diff 166937.Nov 21 2025, 10:59 PM
glebius added a parent revision: D53876: ifconfig: print warning and return success on ipfw0, ipfwlog0 cloning.Nov 21 2025, 10:59 PM
glebius added a reviewer: ae.Nov 21 2025, 11:02 PM
glebius added a reviewer: lytboris_gmail.com.Nov 22 2025, 6:10 AM
ae added inline comments.Nov 24 2025, 9:28 PM
sys/netpfil/ipfw/ip_fw_bpf.c
62

Currently we support IPFW_DEFAULT_RULE larger than 64k.

93

D53872 says that it is consumer's responsibility to avoid duplicates. But you can create many rules with the same rulenum and it seems there isn't any checks related to duplicates prior to bpf_attach.

glebius added inline comments.Nov 25 2025, 5:58 AM
sys/netpfil/ipfw/ip_fw_bpf.c
62

Я же два раза спрашивал про 32-битные номера и не получил ответа! >:-|

So, how exactly can I create rule numbers larger than 64k? The constant is hardcoded, it is not a kernel option. If you explain me the mechanism I will look into expanding this string or maybe allocating it dynamically.

93

I totally missed that multiple rules can have one number. I will update the diff to cover that. Thanks!

glebius updated this revision to Diff 167514.Dec 4 2025, 12:18 AM
  • Address the fact that many rules can have the same number.
  • Support 32-bit rule numbers.
Harbormaster completed remote builds in B69034: Diff 167514.Dec 4 2025, 12:18 AM
glebius mentioned this in D53872: bpf: modularize ifnet(9) part of bpf.Dec 8 2025, 5:30 PM
ae accepted this revision as: ae.Dec 10 2025, 4:41 PM
This revision is now accepted and ready to land.Dec 10 2025, 4:41 PM
p.mousavizadeh_protonmail.com added a subscriber: p.mousavizadeh_protonmail.com.Dec 10 2025, 5:24 PM
glebius updated this revision to Diff 167830.Dec 10 2025, 8:38 PM
  • Documentation and ipfw(8) update.
This revision now requires review to proceed.Dec 10 2025, 8:38 PM
Herald added a subscriber: ziaee. · View Herald TranscriptDec 10 2025, 8:38 PM
Harbormaster completed remote builds in B69165: Diff 167830.Dec 10 2025, 8:38 PM
This revision was not accepted when it landed; it landed in state Needs Review.Mon, Dec 15, 9:47 PM
Closed by commit rG3daae1ac1d82: ipfw: create a bpf tap point for every log rule (authored by glebius). · Explain Why
This revision was automatically updated to reflect the committed changes.
glebius added a commit: rG3daae1ac1d82: ipfw: create a bpf tap point for every log rule.

Revision Contents
Changeset List

PathSize
sbin/
ipfw/
31 lines
7 lines
sys/
netpfil/
ipfw/
119 lines
30 lines
7 lines
5 lines
nat64/
2 lines
2 lines
2 lines
2 lines

Diff 168149

View Options

sbin/ipfw/ipfw.8

Loading...
View Options

sbin/ipfw/ipfw2.c

Loading...
View Options

sys/netpfil/ipfw/ip_fw_bpf.c

Loading...
View Options

sys/netpfil/ipfw/ip_fw_log.c

Loading...
View Options

sys/netpfil/ipfw/ip_fw_private.h

Loading...
View Options

sys/netpfil/ipfw/ip_fw_sockopt.c

Loading...
View Options

sys/netpfil/ipfw/nat64/nat64_translate.c

Loading...
View Options

sys/netpfil/ipfw/nat64/nat64clat.c

Loading...
View Options

sys/netpfil/ipfw/nat64/nat64lsn.c

Loading...
View Options

sys/netpfil/ipfw/nat64/nat64stl.c

Loading...