This patch adds SDT probe to ipfw_chk() function. It helps to reduce complexity with debugging large ipfw rulesets.
Some examples.
1. Find the rule that accepts or blocks packets from some IP address.
```
ipfw:::rule-matched
/inet_ntop(args[1], args[2]) == "10.9.8.3"/
{
a = xlate <ipfw_match_info_t>(args[4]);
printf("Rule %d matched ret code %s (%d): %s %d -> %s %d proto %d",
args[5]->rulenum, ipfw_retcodes[args[0]], args[0],
inet_ntop(args[1], args[2]), a.src_port,
inet_ntop(args[1], args[3]), a.dst_port, a.proto);
}
```
2. Trace some IPv6 tcp packets
```
ipfw:::rule-matched
/args[1] == AF_INET6 && args[4]->f_id.proto == IPPROTO_TCP /
{
a = xlate <ipfw_match_info_t>(args[4]);
printf("Rule %d matched ret code %s (%d): %s %d -> %s %d proto %d %s %s",
args[5]->rulenum, ipfw_retcodes[args[0]], args[0],
inet_ntop(args[1], args[2]), a.src_port,
inet_ntop(args[1], args[3]), a.dst_port, a.proto,
(a.flags & IPFW_ARGS_IN) ? "in recv": "out xmit",
stringof(a.ifp->if_xname));
}
```
3. Print info from IPv6 header from packet matched by rule 1015
```
ipfw:::rule-matched
/args[1] == AF_INET6 && args[5]->rulenum == 1015/
{
a = xlate <ipfw_match_info_t>(args[4]);
ip6 = xlate <ipv6info_t>(a.ip6p);
printf("Rule %d matched ret code %s: %s -> %s proto %d plen %d %s %s",
args[5]->rulenum, ipfw_retcodes[args[0]],
inet_ntop(args[1], args[2]),
inet_ntop(args[1], args[3]), a.proto,
ip6.ipv6_plen,
(a.flags & IPFW_ARGS_IN) ? "in recv": "out xmit",
stringof(a.ifp->if_xname));
}
```