diff options
author | ngie <ngie@FreeBSD.org> | 2015-10-05 03:26:51 +0000 |
---|---|---|
committer | ngie <ngie@FreeBSD.org> | 2015-10-05 03:26:51 +0000 |
commit | e1dd16d965b177f109afb771e59432e36f335d0a (patch) | |
tree | 15db092a5401cf329f1bff9d3bf700d1fde0f121 /contrib/ipfilter/man/ipl.4 | |
parent | 115d008392113efc6f844baa7cc407e9eaae63db (diff) | |
download | FreeBSD-src-e1dd16d965b177f109afb771e59432e36f335d0a.zip FreeBSD-src-e1dd16d965b177f109afb771e59432e36f335d0a.tar.gz |
Revert r288682
I meant to do this on ^/user/ngie/more-tests
Pointyhat to: ngie (use svn info next time...)
Diffstat (limited to 'contrib/ipfilter/man/ipl.4')
-rw-r--r-- | contrib/ipfilter/man/ipl.4 | 81 |
1 files changed, 81 insertions, 0 deletions
diff --git a/contrib/ipfilter/man/ipl.4 b/contrib/ipfilter/man/ipl.4 new file mode 100644 index 0000000..da1d9e6 --- /dev/null +++ b/contrib/ipfilter/man/ipl.4 @@ -0,0 +1,81 @@ +.\" $FreeBSD$ +.\" +.TH IPL 4 +.SH NAME +ipl \- IP packet log device +.SH DESCRIPTION +The \fBipl\fP pseudo device's purpose is to provide an easy way to gather +packet headers of packets you wish to log. If a packet header is to be +logged, the entire header is logged (including any IP options \- TCP/UDP +options are not included when it calculates header size) or not at all. +The packet contents are also logged after the header. If the log reader +is busy or otherwise unable to read log records, up to IPLLOGSIZE (8192 is the +default) bytes of data are stored. +.PP +Prepending every packet header logged is a structure containing information +relevant to the packet following and why it was logged. The structure's +format is as follows: +.LP +.nf +/* + * Log structure. Each packet header logged is prepended by one of these. + * Following this in the log records read from the device will be an ipflog + * structure which is then followed by any packet data. + */ +typedef struct iplog { + u_long ipl_sec; + u_long ipl_usec; + u_int ipl_len; + u_int ipl_count; + size_t ipl_dsize; + struct iplog *ipl_next; +} iplog_t; + + +typedef struct ipflog { +#if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199603)) + u_char fl_ifname[IFNAMSIZ]; +#else + u_int fl_unit; + u_char fl_ifname[4]; +#endif + u_char fl_plen; /* extra data after hlen */ + u_char fl_hlen; /* length of IP headers saved */ + u_short fl_rule; /* assume never more than 64k rules, total */ + u_32_t fl_flags; +} ipflog_t; + +.fi +.PP +When reading from the \fBipl\fP device, it is necessary to call read(2) with +a buffer big enough to hold at least 1 complete log record - reading of partial +log records is not supported. +.PP +If the packet contents are more than 128 bytes when \fBlog body\fP is used, +then only 128 bytes of the packet contents are logged. +.PP +Although it is only possible to read from the \fBipl\fP device, opening it +for writing is required when using an ioctl which changes any kernel data. +.PP +The ioctls which are loaded with this device can be found under \fBipf(4)\fP. +The ioctls which are for use with logging and don't affect the filter are: +.LP +.nf + ioctl(fd, SIOCIPFFB, int *) + ioctl(fd, FIONREAD, int *) +.fi +.PP +The SIOCIPFFB ioctl flushes the log buffer and returns the number of bytes +flushed. FIONREAD returns the number of bytes currently used for storing +log data. If IPFILTER_LOG is not defined when compiling, SIOCIPFFB is not +available and FIONREAD will return but not do anything. +.PP +There is currently no support for non-blocking IO with this device, meaning +all read operations should be considered blocking in nature (if there is no +data to read, it will sleep until some is made available). +.SH SEE ALSO +ipf(4) +.SH BUGS +Packet headers are dropped when the internal buffer (static size) fills. +.SH FILES +/dev/ipl0 |