[dragonfly.git] / share / man / man4 / pflog.4

.\"	$OpenBSD: pflog.4,v 1.9 2006/10/25 12:51:31 jmc Exp $
.\"
.\" Copyright (c) 2001 Tobias Weingartner
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in the
.\"    documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd December 10, 2001
.Dt PFLOG 4
.Os
.Sh NAME
.Nm pflog
.Nd packet filter logging interface
.Sh SYNOPSIS
.Cd "device pflog"
.Sh DESCRIPTION
The
.Nm
interface is a pseudo-device which makes visible all packets logged by
the packet filter,
.Xr pf 4 .
Logged packets can easily be monitored in real
time by invoking
.Xr tcpdump 1
on the
.Nm
interface, or stored to disk using
.Xr pflogd 8 .
.Pp
The pflog0 interface is created automatically at boot if both
.Xr pf 4
and
.Xr pflogd 8
are enabled;
further instances can be created using
.Xr ifconfig 8 .
.Pp
Each packet retrieved on this interface has a header associated
with it of length
.Dv PFLOG_HDRLEN .
This header documents the address family, interface name, rule
number, reason, action, and direction of the packet that was logged.
This structure, defined in
.In net/pf/if_pflog.h
looks like
.Bd -literal -offset indent
struct pfloghdr {
	u_int8_t	length;
	sa_family_t	af;
	u_int8_t	action;
	u_int8_t	reason;
	char		ifname[IFNAMSIZ];
	char		ruleset[PF_RULESET_NAME_SIZE];
	u_int32_t	rulenr;
	u_int32_t	subrulenr;
	uid_t		uid;
	pid_t		pid;
	uid_t		rule_uid;
	pid_t		rule_pid;
	u_int8_t	dir;
	u_int8_t	pad[3];
};
.Ed
.Sh EXAMPLES
Create a
.Nm
interface
and monitor all packets logged on it:
.Bd -literal -offset indent
# ifconfig pflog0 up
# tcpdump -n -e -ttt -i pflog0
.Ed
.Sh SEE ALSO
.Xr inet 4 ,
.Xr inet6 4 ,
.Xr netintro 4 ,
.Xr pf 4 ,
.Xr ifconfig 8 ,
.Xr pflogd 8 ,
.Xr tcpdump 1
.Sh HISTORY
The
.Nm
device first appeared in
.Ox 3.0
and was then integrated into
.Dx 1.1
by Devon H. O'Dell and Simon Schubert.
.\" .Sh BUGS
.\" Anything here?
Commit	Line	Data
70224baa	1	.\" $OpenBSD: pflog.4,v 1.9 2006/10/25 12:51:31 jmc Exp $
f1e85027 SS	2	.\"
	3	.\" Copyright (c) 2001 Tobias Weingartner
	4	.\" All rights reserved.
	5	.\"
	6	.\" Redistribution and use in source and binary forms, with or without
	7	.\" modification, are permitted provided that the following conditions
	8	.\" are met:
	9	.\" 1. Redistributions of source code must retain the above copyright
	10	.\" notice, this list of conditions and the following disclaimer.
	11	.\" 2. Redistributions in binary form must reproduce the above copyright
	12	.\" notice, this list of conditions and the following disclaimer in the
	13	.\" documentation and/or other materials provided with the distribution.
	14	.\"
	15	.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
	16	.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
	17	.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
	18	.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
	19	.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	20	.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
	21	.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
	22	.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
	23	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
	24	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	25	.\"
	26	.Dd December 10, 2001
	27	.Dt PFLOG 4
	28	.Os
	29	.Sh NAME
	30	.Nm pflog
	31	.Nd packet filter logging interface
	32	.Sh SYNOPSIS
	33	.Cd "device pflog"
	34	.Sh DESCRIPTION
	35	The
9b5a9965	36	.Nm
f1e85027 SS	37	interface is a pseudo-device which makes visible all packets logged by
	38	the packet filter,
	39	.Xr pf 4 .
	40	Logged packets can easily be monitored in real
	41	time by invoking
b958492b	42	.Xr tcpdump 1
f1e85027 SS	43	on the
	44	.Nm
	45	interface, or stored to disk using
	46	.Xr pflogd 8 .
	47	.Pp
70224baa JL	48	The pflog0 interface is created automatically at boot if both
	49	.Xr pf 4
	50	and
	51	.Xr pflogd 8
	52	are enabled;
	53	further instances can be created using
	54	.Xr ifconfig 8 .
	55	.Pp
f1e85027 SS	56	Each packet retrieved on this interface has a header associated
	57	with it of length
	58	.Dv PFLOG_HDRLEN .
	59	This header documents the address family, interface name, rule
	60	number, reason, action, and direction of the packet that was logged.
	61	This structure, defined in
44cb301e	62	.In net/pf/if_pflog.h
f1e85027 SS	63	looks like
	64	.Bd -literal -offset indent
	65	struct pfloghdr {
	66	u_int8_t length;
	67	sa_family_t af;
	68	u_int8_t action;
	69	u_int8_t reason;
	70	char ifname[IFNAMSIZ];
	71	char ruleset[PF_RULESET_NAME_SIZE];
	72	u_int32_t rulenr;
	73	u_int32_t subrulenr;
70224baa JL	74	uid_t uid;
	75	pid_t pid;
	76	uid_t rule_uid;
	77	pid_t rule_pid;
f1e85027 SS	78	u_int8_t dir;
	79	u_int8_t pad[3];
	80	};
	81	.Ed
	82	.Sh EXAMPLES
70224baa JL	83	Create a
	84	.Nm
	85	interface
	86	and monitor all packets logged on it:
f1e85027 SS	87	.Bd -literal -offset indent
	88	# ifconfig pflog0 up
	89	# tcpdump -n -e -ttt -i pflog0
	90	.Ed
	91	.Sh SEE ALSO
	92	.Xr inet 4 ,
	93	.Xr inet6 4 ,
	94	.Xr netintro 4 ,
	95	.Xr pf 4 ,
	96	.Xr ifconfig 8 ,
b31f0f40	97	.Xr pflogd 8 ,
70224baa	98	.Xr tcpdump 1
f1e85027 SS	99	.Sh HISTORY
	100	The
	101	.Nm
	102	device first appeared in
	103	.Ox 3.0
	104	and was then integrated into
	105	.Dx 1.1
	106	by Devon H. O'Dell and Simon Schubert.
	107	.\" .Sh BUGS
	108	.\" Anything here?