ipfw: create a bpf tap point for every log rule
Needs ReviewPublic
Actions

Authored by glebius on Fri, Nov 21, 10:59 PM.

Details

Reviewers

ae
lytboris_gmail.com

Group Reviewers

network

Summary

Dynamically allocate bpf tap points for every rule that has "log".
The name is "ipfw%u", where %u is substituted to the rule number.
The default catch all "ipfw0" tap still exists for compatibility
and it will catch packets in case if there are no bpf listeners
on a per-rule tap.

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Skipped

Unit

Tests Skipped

Build Status

Buildable 69165
Build 66048: arc lint + arc unit

Event Timeline

glebius created this revision.Fri, Nov 21, 10:59 PM

Herald added subscribers: vegeta_tuxpowered.net, donner, melifaro and 2 others. · View Herald TranscriptFri, Nov 21, 10:59 PM

glebius requested review of this revision.Fri, Nov 21, 10:59 PM

Harbormaster completed remote builds in B68803: Diff 166937.Fri, Nov 21, 10:59 PM

glebius added a parent revision: D53876: ifconfig: print warning and return success on ipfw0, ipfwlog0 cloning.Fri, Nov 21, 10:59 PM

glebius added a reviewer: ae.Fri, Nov 21, 11:02 PM

glebius added a reviewer: lytboris_gmail.com.Sat, Nov 22, 6:10 AM

ae added inline comments.Mon, Nov 24, 9:28 PM

sys/netpfil/ipfw/ip_fw_bpf.c
61	Currently we support IPFW_DEFAULT_RULE larger than 64k.
92	D53872 says that it is consumer's responsibility to avoid duplicates. But you can create many rules with the same rulenum and it seems there isn't any checks related to duplicates prior to bpf_attach.

glebius added inline comments.Tue, Nov 25, 5:58 AM

sys/netpfil/ipfw/ip_fw_bpf.c
61	Я же два раза спрашивал про 32-битные номера и не получил ответа! >:-\| So, how exactly can I create rule numbers larger than 64k? The constant is hardcoded, it is not a kernel option. If you explain me the mechanism I will look into expanding this string or maybe allocating it dynamically.
92	I totally missed that multiple rules can have one number. I will update the diff to cover that. Thanks!