13b3a8eb9SGleb Smirnoff.\" $OpenBSD: pflog.4,v 1.10 2007/05/31 19:19:51 jmc Exp $ 23b3a8eb9SGleb Smirnoff.\" 33b3a8eb9SGleb Smirnoff.\" Copyright (c) 2001 Tobias Weingartner 43b3a8eb9SGleb Smirnoff.\" All rights reserved. 53b3a8eb9SGleb Smirnoff.\" 63b3a8eb9SGleb Smirnoff.\" Redistribution and use in source and binary forms, with or without 73b3a8eb9SGleb Smirnoff.\" modification, are permitted provided that the following conditions 83b3a8eb9SGleb Smirnoff.\" are met: 93b3a8eb9SGleb Smirnoff.\" 1. Redistributions of source code must retain the above copyright 103b3a8eb9SGleb Smirnoff.\" notice, this list of conditions and the following disclaimer. 113b3a8eb9SGleb Smirnoff.\" 2. Redistributions in binary form must reproduce the above copyright 123b3a8eb9SGleb Smirnoff.\" notice, this list of conditions and the following disclaimer in the 133b3a8eb9SGleb Smirnoff.\" documentation and/or other materials provided with the distribution. 143b3a8eb9SGleb Smirnoff.\" 153b3a8eb9SGleb Smirnoff.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 163b3a8eb9SGleb Smirnoff.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 173b3a8eb9SGleb Smirnoff.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 183b3a8eb9SGleb Smirnoff.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 193b3a8eb9SGleb Smirnoff.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 203b3a8eb9SGleb Smirnoff.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 213b3a8eb9SGleb Smirnoff.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 223b3a8eb9SGleb Smirnoff.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 233b3a8eb9SGleb Smirnoff.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 243b3a8eb9SGleb Smirnoff.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 253b3a8eb9SGleb Smirnoff.\" 26*76c5eeccSKristof Provost.Dd October 29, 2021 273b3a8eb9SGleb Smirnoff.Dt PFLOG 4 283b3a8eb9SGleb Smirnoff.Os 293b3a8eb9SGleb Smirnoff.Sh NAME 303b3a8eb9SGleb Smirnoff.Nm pflog 313b3a8eb9SGleb Smirnoff.Nd packet filter logging interface 323b3a8eb9SGleb Smirnoff.Sh SYNOPSIS 333b3a8eb9SGleb Smirnoff.Cd "device pflog" 343b3a8eb9SGleb Smirnoff.Sh DESCRIPTION 353b3a8eb9SGleb SmirnoffThe 363b3a8eb9SGleb Smirnoff.Nm pflog 373b3a8eb9SGleb Smirnoffinterface is a device which makes visible all packets logged by 383b3a8eb9SGleb Smirnoffthe packet filter, 393b3a8eb9SGleb Smirnoff.Xr pf 4 . 403b3a8eb9SGleb SmirnoffLogged packets can easily be monitored in real 413b3a8eb9SGleb Smirnofftime by invoking 423b3a8eb9SGleb Smirnoff.Xr tcpdump 1 433b3a8eb9SGleb Smirnoffon the 443b3a8eb9SGleb Smirnoff.Nm 453b3a8eb9SGleb Smirnoffinterface, or stored to disk using 463b3a8eb9SGleb Smirnoff.Xr pflogd 8 . 473b3a8eb9SGleb Smirnoff.Pp 4876fe8084STom JonesThe pflog0 interface is created when the 4976fe8084STom Jones.Nm 5076fe8084STom Jonesmodule is loaded; 5176fe8084STom Jonesfurther instances can be created using 5276fe8084STom Jones.Xr ifconfig 8 . 5376fe8084STom JonesThe 5476fe8084STom Jones.Nm 5576fe8084STom Jonesmodule is loaded automatically if both 563b3a8eb9SGleb Smirnoff.Xr pf 4 573b3a8eb9SGleb Smirnoffand 583b3a8eb9SGleb Smirnoff.Xr pflogd 8 5976fe8084STom Jonesare enabled. 603b3a8eb9SGleb Smirnoff.Pp 613b3a8eb9SGleb SmirnoffEach packet retrieved on this interface has a header associated 623b3a8eb9SGleb Smirnoffwith it of length 633b3a8eb9SGleb Smirnoff.Dv PFLOG_HDRLEN . 643b3a8eb9SGleb SmirnoffThis header documents the address family, interface name, rule 653b3a8eb9SGleb Smirnoffnumber, reason, action, and direction of the packet that was logged. 663b3a8eb9SGleb SmirnoffThis structure, defined in 673b3a8eb9SGleb Smirnoff.Aq Pa net/if_pflog.h 683b3a8eb9SGleb Smirnofflooks like 693b3a8eb9SGleb Smirnoff.Bd -literal -offset indent 703b3a8eb9SGleb Smirnoffstruct pfloghdr { 713b3a8eb9SGleb Smirnoff u_int8_t length; 723b3a8eb9SGleb Smirnoff sa_family_t af; 733b3a8eb9SGleb Smirnoff u_int8_t action; 743b3a8eb9SGleb Smirnoff u_int8_t reason; 753b3a8eb9SGleb Smirnoff char ifname[IFNAMSIZ]; 763b3a8eb9SGleb Smirnoff char ruleset[PF_RULESET_NAME_SIZE]; 773b3a8eb9SGleb Smirnoff u_int32_t rulenr; 783b3a8eb9SGleb Smirnoff u_int32_t subrulenr; 793b3a8eb9SGleb Smirnoff uid_t uid; 803b3a8eb9SGleb Smirnoff pid_t pid; 813b3a8eb9SGleb Smirnoff uid_t rule_uid; 823b3a8eb9SGleb Smirnoff pid_t rule_pid; 833b3a8eb9SGleb Smirnoff u_int8_t dir; 843b3a8eb9SGleb Smirnoff u_int8_t pad[3]; 85*76c5eeccSKristof Provost u_int32_t ridentifier; 863b3a8eb9SGleb Smirnoff}; 873b3a8eb9SGleb Smirnoff.Ed 883b3a8eb9SGleb Smirnoff.Sh EXAMPLES 893b3a8eb9SGleb SmirnoffCreate a 903b3a8eb9SGleb Smirnoff.Nm 913b3a8eb9SGleb Smirnoffinterface 923b3a8eb9SGleb Smirnoffand monitor all packets logged on it: 933b3a8eb9SGleb Smirnoff.Bd -literal -offset indent 9476fe8084STom Jones# ifconfig pflog create 9576fe8084STom Jonespflog1 963b3a8eb9SGleb Smirnoff# ifconfig pflog1 up 973b3a8eb9SGleb Smirnoff# tcpdump -n -e -ttt -i pflog1 983b3a8eb9SGleb Smirnoff.Ed 993b3a8eb9SGleb Smirnoff.Sh SEE ALSO 100923544aaSBaptiste Daroussin.Xr tcpdump 1 , 1013b3a8eb9SGleb Smirnoff.Xr inet 4 , 1023b3a8eb9SGleb Smirnoff.Xr inet6 4 , 1033b3a8eb9SGleb Smirnoff.Xr netintro 4 , 1043b3a8eb9SGleb Smirnoff.Xr pf 4 , 1053b3a8eb9SGleb Smirnoff.Xr ifconfig 8 , 106923544aaSBaptiste Daroussin.Xr pflogd 8 1073b3a8eb9SGleb Smirnoff.Sh HISTORY 1083b3a8eb9SGleb SmirnoffThe 1093b3a8eb9SGleb Smirnoff.Nm 1103b3a8eb9SGleb Smirnoffdevice first appeared in 1113b3a8eb9SGleb Smirnoff.Ox 3.0 . 11240a06c5bSTom Jones.Sh BUGS 11340a06c5bSTom JonesFreeBSD does not set a process id in the 11440a06c5bSTom Jones.Fa pid 11540a06c5bSTom Jonesfield in pfloghdr. 116