The patch implements a bare bones parser for the following traffic:
Rule number, action, direction and interface. Example:
rule 1/0(match): block in on xl0:
Source and destination IP address, source and destination ports, TCP flags. Example:
tcp: 10.10.10.1:25445 -> 10.10.10.2:23 flags S
Source and destination IP address, source and destination ports. Example:
udp: 10.10.10.1:32484 -> 10.10.10.2:53
Source and destination IP address, ICMP type/code. Example:
icmp: 10.10.10.1 -> 10.10.10.2 type 8/0
Source and destination IP address, IP protocol number. Example:
ip-proto-50: 10.10.10.1 -> 10.10.10.2
Source and destination IP address. Example:
ip-frag: 10.10.10.2 -> 10.10.10.1
These examples might look like this in the actual syslog file
Mar 9 10:40:57 fw pflogd[9]: rule 1/0(match): block in on xl0: icmp: 10.10.10.1 -> 10.10.10.2 type 8/0 Mar 9 10:40:57 fw pflogd[9]: rule 1/0(match): block in on xl0: tcp: 10.10.10.1:25445 -> 10.10.10.2:23 flags S (DF) Mar 9 10:40:57 fw pflogd[9]: rule 1/0(match): block in on xl0: udp: 10.10.10.1:32484 -> 10.10.10.2:53 Mar 9 10:40:57 fw pflogd[9]: rule 1/0(match): block in on xl0: icmp6: ::1 -> ::1 type 128/0 Mar 9 10:40:57 fw pflogd[9]: rule 1/0(match): block in on xl0: ip-frag: 10.10.10.2 -> 10.10.10.1
IP addresses (v4/v6) and port numbers are presented in a numerical form - no name resolving is done. (DF) at the end of the line means that "Dont Fragment" bit was set in the IP header.
New command line options:
-S | Enable the syslog feature. |
-F facility | Set syslog facility. Syslog level is determined automatically, depending on the message. |
-u user | Become as user after opening the filtering socket. This option has no effect when logging to file. |
Example usage:
# pflogd -S -F local0 -u nobody