Date: Tue, 08 Jul 2014 16:16:26 -0500 From: Bryan Drewery <bdrewery@FreeBSD.org> To: arch@FreeBSD.org Subject: pflog/tcpdump/PID_MAX/NO_PID [was: sys/proc.h inclusion of sys/time.h] Message-ID: <53BC5FAA.4090501@FreeBSD.org> In-Reply-To: <20140708210727.GA63071@stack.nl> References: <53BC4F49.7000903@FreeBSD.org> <20140708210727.GA63071@stack.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
On 7/8/14, 4:07 PM, Jilles Tjoelker wrote:
> On Tue, Jul 08, 2014 at 03:06:33PM -0500, Bryan Drewery wrote:
>> In r34924 sys/proc.h was changed to only include sys/time.h if not
>> building in kernel.
>> [snip]
>> (Why am I doing this? I need PID_MAX and NO_PID for a tcpdump change I
>> am testing that is intended for upstreaming. Perhaps I can use
>> kern.pid_max in __FreeBSD__ and other hacks on other platforms, I have
>> not yet decided on this.)
> The kern.pid_max sysctl is mostly intended for running FreeBSD 1.0
> binaries, which have a 16-bit pid_t. Therefore, it is run-time
> adjustable and existing processes may have a pid higher than its value.
>
> Ideally, you do not need PID_MAX and NO_PID; try to use a variable of
> type pid_t only for a process ID and store flags elsewhere. There may be
> a problem if you need to read pid_t from an internal structure or
> message, though.
>
It's needed in this case as pflog will store NO_PID if no pid is stored
for logged packets. This is 100000 on FreeBSD, 32767 on OpenBSD, 30001
on NetBSD.
I am updating tcpdump to display logged uid/pid. Note that our pf does
not log the pid ever right now and always uses NO_PID. I am going to
explore what is needed to fix this.
From talks I've had it seems there is a broad consensus that pf should
not be using NO_PID in this case, but I am doubtful this will be fixed
in all implementations. My goal here is just fixing tcpdump in an
upstreamable way. Us changing pf to not use NO_PID only complicates my
goal. While I could use a __FreeBSD__ ifdef it would only be valid on
FreeBSD 11, earlier releases would still need the check on NO_PID.
My current mockup is:
> Index: ../../contrib/tcpdump/print-pflog.c
> ===================================================================
> --- ../../contrib/tcpdump/print-pflog.c (revision 268114)
> +++ ../../contrib/tcpdump/print-pflog.c (working copy)
> @@ -32,6 +32,10 @@
> #error "No pf headers available"
> #endif
> #include <sys/types.h>
> +#include <sys/param.h>
> +#define _KERNEL
> +#include <sys/proc.h>
> +#undef _KERNEL
> #include <sys/socket.h>
> #include <net/if.h>
> #include <net/pfvar.h>
> @@ -101,12 +105,19 @@
> printf("rule %u/", rulenr);
> else
> printf("rule %u.%s.%u/", rulenr, hdr->ruleset, subrulenr);
> -
> - printf("%s: %s %s on %s: ",
> - tok2str(pf_reasons, "unkn(%u)", hdr->reason),
> + printf("%s", tok2str(pf_reasons, "unkn(%u)", hdr->reason));
> + if (vflag)
> + printf("[uid %u, pid %u]", (unsigned)hdr->rule_uid,
> + (unsigned)hdr->rule_pid);
> + printf(": %s %s on %s: ",
> tok2str(pf_actions, "unkn(%u)", hdr->action),
> tok2str(pf_directions, "unkn(%u)", hdr->dir),
> hdr->ifname);
> + if (vflag && hdr->uid != UID_MAX)
> + printf("[uid %u] ", (unsigned)hdr->uid);
> + if (vflag && hdr->pid != NO_PID)
> + printf("[pid %u] ", (unsigned)hdr->pid);
> + /* XXX: pid is not displayed as we always have NO_PID
> currently. */
> }
--
Regards,
Bryan Drewery
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?53BC5FAA.4090501>