document logging through bpf

2010-10-13 22:07:57 +00:00 · 2010-10-13 22:07:57 +00:00 · 81ab11744e
commit 81ab11744e
parent 7e05daae8f
1 changed files with 18 additions and 13 deletions
--- a/sbin/ipfw/ipfw.8
+++ b/sbin/ipfw/ipfw.8
@ -557,28 +557,33 @@ packet delivery.
 Note: this condition is checked before any other condition, including
 ones such as keep-state or check-state which might have side effects.
 .It Cm log Op Cm logamount Ar number
-When a packet matches a rule with the
+Packets matching a rule with the
 .Cm log
-keyword, a message will be
-logged to
+keyword will be made available for logging in two ways:
+if the sysctl variable
+.Va net.inet.ip.fw.verbose
+is set to 0 (default), one can use
+.Xr bpf 4
+attached to the
+.Xr ipfw0
+pseudo interface. There is no overhead if no 
+.Xr bpf
+is attached to the pseudo interface.
+.Pp
+If
+.Va net.inet.ip.fw.verbose
+is set to 1, packets will be logged to
 .Xr syslogd 8
 with a
 .Dv LOG_SECURITY
-facility.
-The logging only occurs if the sysctl variable
-.Va net.inet.ip.fw.verbose
-is set to 1
-(which is the default when the kernel is compiled with
-.Dv IPFIREWALL_VERBOSE )
-and the number of packets logged so far for that
-particular rule does not exceed the
+facility up to a maximum of
 .Cm logamount
-parameter.
+packets.
 If no
 .Cm logamount
 is specified, the limit is taken from the sysctl variable
 .Va net.inet.ip.fw.verbose_limit .
-In both cases, a value of 0 removes the logging limit.
+In both cases, a value of 0 means unlimited logging.
 .Pp
 Once the limit is reached, logging can be re-enabled by
 clearing the logging counter or the packet counter for that entry, see the