Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 30 Jan 2022 08:51:20 +0000
From:      bugzilla-noreply@freebsd.org
To:        bugs@FreeBSD.org
Subject:   [Bug 261566] Padding of DLT_PFLOG packets should be done differently
Message-ID:  <bug-261566-227-68vUzbU8wn@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-261566-227@https.bugs.freebsd.org/bugzilla/>
References:  <bug-261566-227@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D261566

--- Comment #1 from Guy Harris <gharris@sonic.net> ---
Note also that, if you try to read a DLT_PFLOG capture with the OpenBSD str=
uct
pfloghdr, and round the length up to a multiple of 8, you will *NOT* correc=
tly
read it.

Here's version 1.29 of sys/net/if_pflog.h:

=20=20=20
https://cvsweb.openbsd.org/src/sys/net/if_pflog.h?rev=3D1.29&content-type=
=3Dtext/x-cvsweb-markup

struct pf_addr is 16 bytes (containing a union big enough to hold either an
IPv4 or an IPv6 address, as per version 1.505 of sys/net/pfvar.h:

=20=20=20
https://cvsweb.openbsd.org/src/sys/net/pfvar.h?rev=3D1.505&content-type=3Dt=
ext/x-cvsweb-markup

), IFNAMSIZ is 16, sa_family_t is 1 byte, and uid_t and pid_t are both 4 by=
tes,
for a total of 1+1+1+1+16+16+4+4+4+4+4+4+1+1+1+1+16+16+2+2 =3D 100 bytes, w=
hich
is *not* a multiple of 8, although it *is* a multiple of 4.

The new-style header was introduced in version 1.8:

=20=20=20
https://cvsweb.openbsd.org/src/sys/net/if_pflog.h?rev=3D1.8&content-type=3D=
text/x-cvsweb-markup

=20=20=20
https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/net/if_pflog.h.diff?r1=3D=
1.7&r2=3D1.8&f=3Dh

and they got rid of the "PFLOG_REAL_HDRLEN doesn't include the padding to a
4-byte boundary" stuff in version 1.16:

=20=20=20
https://cvsweb.openbsd.org/src/sys/net/if_pflog.h?rev=3D1.16&content-type=
=3Dtext/x-cvsweb-markup

=20=20=20
https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/net/if_pflog.h.diff?r1=3D=
1.15&r2=3D1.16&f=3Dh

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-261566-227-68vUzbU8wn>