Re: Setting a rule for NPF

To: netbsd-users%netbsd.org@localhost
Subject: Re: Setting a rule for NPF
From: christos%astron.com@localhost (Christos Zoulas)
Date: Fri, 2 Jan 2015 21:56:58 +0000 (UTC)

In article <trinity-d1d87efd-2159-4e9a-a019-1bf32e66a33a-1420217178333@3capp-mailcom-lxa11>,
Rocky Hotas <rockyhotas%post.com@localhost> wrote:
>With the /etc/npf.conf file as below
>
>procedure "log" {
>log: npflog0
>}
>
>group (default) {
>pass all
>pass final family inet proto icmp all apply "log"
>}
>
>it works.
>I can read the log by running "tcpdump -i npflog0". But is there an
>easier way to have the log? 
>I would like to automatically redirect the log to a file without keeping
>active tcpdump.

No, there is currently no way. You would need a helper userland
process to read the data out from the device (it is nasty to have
the kernel write directly to the filesystem). I've been thinking
about writing a small logger for npf that logs via syslog, but then
the only thing I would achieve would be to lose the bits of the
original data for the benefit of user pretty printing.

To do this, the obvious way would be to turn tcpdump into a library,
or change the main tcpdump program to do handle this. Both are
non-trivial tasks. If I feel bored someday :-)

christos

Follow-Ups:
- Re: Setting a rule for NPF
  - From: Rocky Hotas

References:
- Re: Setting a rule for NPF
  - From: Christos Zoulas
- Re: Setting a rule for NPF
  - From: Rocky Hotas

Prev by Date: Re: Setting a rule for NPF
Next by Date: Re: Setting a rule for NPF
Previous by Thread: Re: Setting a rule for NPF
Next by Thread: Re: Setting a rule for NPF
Indexes:

Home | Main Index | Thread Index | Old Index