186d7f5d3SJohn Marino.\" $OpenBSD: pflog.4,v 1.10 2007/05/31 19:19:51 jmc Exp $ 286d7f5d3SJohn Marino.\" 386d7f5d3SJohn Marino.\" Copyright (c) 2001 Tobias Weingartner 486d7f5d3SJohn Marino.\" All rights reserved. 586d7f5d3SJohn Marino.\" 686d7f5d3SJohn Marino.\" Redistribution and use in source and binary forms, with or without 786d7f5d3SJohn Marino.\" modification, are permitted provided that the following conditions 886d7f5d3SJohn Marino.\" are met: 986d7f5d3SJohn Marino.\" 1. Redistributions of source code must retain the above copyright 1086d7f5d3SJohn Marino.\" notice, this list of conditions and the following disclaimer. 1186d7f5d3SJohn Marino.\" 2. Redistributions in binary form must reproduce the above copyright 1286d7f5d3SJohn Marino.\" notice, this list of conditions and the following disclaimer in the 1386d7f5d3SJohn Marino.\" documentation and/or other materials provided with the distribution. 1486d7f5d3SJohn Marino.\" 1586d7f5d3SJohn Marino.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 1686d7f5d3SJohn Marino.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 1786d7f5d3SJohn Marino.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 1886d7f5d3SJohn Marino.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 1986d7f5d3SJohn Marino.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 2086d7f5d3SJohn Marino.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 2186d7f5d3SJohn Marino.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 2286d7f5d3SJohn Marino.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 2386d7f5d3SJohn Marino.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 2486d7f5d3SJohn Marino.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 2586d7f5d3SJohn Marino.\" 2686d7f5d3SJohn Marino.Dd December 10, 2001 2786d7f5d3SJohn Marino.Dt PFLOG 4 2886d7f5d3SJohn Marino.Os 2986d7f5d3SJohn Marino.Sh NAME 3086d7f5d3SJohn Marino.Nm pflog 3186d7f5d3SJohn Marino.Nd packet filter logging interface 3286d7f5d3SJohn Marino.Sh SYNOPSIS 3386d7f5d3SJohn Marino.Cd "device pflog" 3486d7f5d3SJohn Marino.Sh DESCRIPTION 3586d7f5d3SJohn MarinoThe 3686d7f5d3SJohn Marino.Nm 3786d7f5d3SJohn Marinointerface is a pseudo-device which makes visible all packets logged by 3886d7f5d3SJohn Marinothe packet filter, 3986d7f5d3SJohn Marino.Xr pf 4 . 4086d7f5d3SJohn MarinoLogged packets can easily be monitored in real 4186d7f5d3SJohn Marinotime by invoking 4286d7f5d3SJohn Marino.Xr tcpdump 1 4386d7f5d3SJohn Marinoon the 4486d7f5d3SJohn Marino.Nm 4586d7f5d3SJohn Marinointerface, or stored to disk using 4686d7f5d3SJohn Marino.Xr pflogd 8 . 4786d7f5d3SJohn Marino.Pp 4886d7f5d3SJohn MarinoThe pflog0 interface is created automatically at boot if both 4986d7f5d3SJohn Marino.Xr pf 4 5086d7f5d3SJohn Marinoand 5186d7f5d3SJohn Marino.Xr pflogd 8 5286d7f5d3SJohn Marinoare enabled; 5386d7f5d3SJohn Marinofurther instances can be created using 5486d7f5d3SJohn Marino.Xr ifconfig 8 . 5586d7f5d3SJohn Marino.Pp 5686d7f5d3SJohn MarinoEach packet retrieved on this interface has a header associated 5786d7f5d3SJohn Marinowith it of length 5886d7f5d3SJohn Marino.Dv PFLOG_HDRLEN . 5986d7f5d3SJohn MarinoThis header documents the address family, interface name, rule 6086d7f5d3SJohn Marinonumber, reason, action, and direction of the packet that was logged. 6186d7f5d3SJohn MarinoThis structure, defined in 6286d7f5d3SJohn Marino.In net/pf/if_pflog.h 6386d7f5d3SJohn Marinolooks like 6486d7f5d3SJohn Marino.Bd -literal -offset indent 6586d7f5d3SJohn Marinostruct pfloghdr { 6686d7f5d3SJohn Marino u_int8_t length; 6786d7f5d3SJohn Marino sa_family_t af; 6886d7f5d3SJohn Marino u_int8_t action; 6986d7f5d3SJohn Marino u_int8_t reason; 7086d7f5d3SJohn Marino char ifname[IFNAMSIZ]; 7186d7f5d3SJohn Marino char ruleset[PF_RULESET_NAME_SIZE]; 7286d7f5d3SJohn Marino u_int32_t rulenr; 7386d7f5d3SJohn Marino u_int32_t subrulenr; 7486d7f5d3SJohn Marino uid_t uid; 7586d7f5d3SJohn Marino pid_t pid; 7686d7f5d3SJohn Marino uid_t rule_uid; 7786d7f5d3SJohn Marino pid_t rule_pid; 7886d7f5d3SJohn Marino u_int8_t dir; 7986d7f5d3SJohn Marino u_int8_t pad[3]; 8086d7f5d3SJohn Marino}; 8186d7f5d3SJohn Marino.Ed 8286d7f5d3SJohn Marino.Sh EXAMPLES 8386d7f5d3SJohn MarinoCreate a 8486d7f5d3SJohn Marino.Nm 8586d7f5d3SJohn Marinointerface 8686d7f5d3SJohn Marinoand monitor all packets logged on it: 8786d7f5d3SJohn Marino.Bd -literal -offset indent 8886d7f5d3SJohn Marino# ifconfig pflog0 up 8986d7f5d3SJohn Marino# tcpdump -n -e -ttt -i pflog0 9086d7f5d3SJohn Marino.Ed 9186d7f5d3SJohn Marino.Sh SEE ALSO 9286d7f5d3SJohn Marino.Xr tcpdump 1 , 9386d7f5d3SJohn Marino.Xr inet 4 , 9486d7f5d3SJohn Marino.Xr inet6 4 , 9586d7f5d3SJohn Marino.Xr netintro 4 , 9686d7f5d3SJohn Marino.Xr pf 4 , 9786d7f5d3SJohn Marino.Xr ifconfig 8 , 9886d7f5d3SJohn Marino.Xr pflogd 8 9986d7f5d3SJohn Marino.Sh HISTORY 10086d7f5d3SJohn MarinoThe 10186d7f5d3SJohn Marino.Nm 10286d7f5d3SJohn Marinodevice first appeared in 10386d7f5d3SJohn Marino.Ox 3.0 10486d7f5d3SJohn Marinoand was then integrated into 10586d7f5d3SJohn Marino.Dx 1.1 10686d7f5d3SJohn Marinoby Devon H. O'Dell and Simon Schubert. 10786d7f5d3SJohn Marino.\" .Sh BUGS 10886d7f5d3SJohn Marino.\" Anything here? 109