NetBSD Problem Report #42780

From www@NetBSD.org  Tue Feb  9 16:22:36 2010
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
	by www.NetBSD.org (Postfix) with ESMTP id 9D91463C445
	for <gnats-bugs@gnats.NetBSD.org>; Tue,  9 Feb 2010 16:22:36 +0000 (UTC)
Message-Id: <20100209162236.39A3F63BBAC@www.NetBSD.org>
Date: Tue,  9 Feb 2010 16:22:36 +0000 (UTC)
From: l.illanes@gmx.de
Reply-To: l.illanes@gmx.de
To: gnats-bugs@NetBSD.org
Subject: tcpdump (8) fails to apply filter expressions to DLT_PFLOG packets
X-Send-Pr-Version: www-1.0

>Number:         42780
>Category:       bin
>Synopsis:       tcpdump (8) fails to apply filter expressions to DLT_PFLOG packets
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Feb 09 16:25:00 +0000 2010
>Closed-Date:    
>Last-Modified:  Fri Oct 15 04:46:23 +0000 2010
>Originator:     Lucio Albornoz
>Release:        5.0.1
>Organization:
>Environment:
NetBSD amal.local 5.0.1 NetBSD 5.0.1 (AMAL) #9: Mon Oct 26 01:55:04 CET 2009  toor@amal.local:/usr/src/sys/arch/i386/compile/AMAL i386
>Description:
  Attempting to apply filter expressions to either a packet capture
dump (e.g. `-r',) or via live capture from a pflog (4) interface
reproducibly yields zero (0) matching packets;  the culprit here
appears to be NetBSD's in-tree libpcap, which calculates a pflog (4)
header size that is shorter than the actual header prepended by
the kernel's corresponding logic.

  The attached diff fixes this by updating the pfloghdr struct
definition from net/pflog.h.
>How-To-Repeat:
tcpdump (8) from a live pflog (4) interface, or a packet dump captured
from an instance of the former, applying a filter expression which would
otherwise match packets.
>Fix:
--- pf.h.orig	2010-02-09 17:02:25.000000000 +0100
+++ pf.h	2010-02-09 17:04:06.000000000 +0100
@@ -56,22 +56,30 @@

 #define PF_RULESET_NAME_SIZE	16

-/*	from $OpenBSD: if_pflog.h,v 1.9 2003/07/15 20:27:27 dhartmei Exp $ */
-
 #ifndef IFNAMSIZ
 #define	IFNAMSIZ	16
 #endif

+/*	from $NetBSD: if_pflog.h,v 1.5 2008/06/18 09:06:27 yamt Exp $	*/
+/*	$OpenBSD: if_pflog.h,v 1.14 2006/10/25 11:27:01 henning Exp $ */
+
+#define PFLOG_RULESET_NAME_SIZE 16
+
 struct pfloghdr {
 	u_int8_t	length;
-	u_int8_t	af;
+	sa_family_t	af;
 	u_int8_t	action;
 	u_int8_t	reason;
 	char		ifname[IFNAMSIZ];
-	char		ruleset[PF_RULESET_NAME_SIZE];
+	char		ruleset[PFLOG_RULESET_NAME_SIZE];
 	u_int32_t	rulenr;
 	u_int32_t	subrulenr;
+	uid_t		uid;
+	pid_t		pid;
+	uid_t		rule_uid;
+	pid_t		rule_pid;
 	u_int8_t	dir;
 	u_int8_t	pad[3];
 };
+
 #define PFLOG_HDRLEN		sizeof(struct pfloghdr)

>Release-Note:

>Audit-Trail:

State-Changed-From-To: open->feedback
State-Changed-By: drochner@NetBSD.org
State-Changed-When: Fri, 12 Feb 2010 21:21:02 +0000
State-Changed-Why:
does the fix in dist/libpcap/pf.h rev. 1.2 work for you?
(note that the headers in libpcap deliberately use fixed width types
so that a dump file taken on one machine can be read on another one)


From: Matthias Drochner <drochner@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/42780 CVS commit: src/dist/libpcap
Date: Fri, 12 Feb 2010 21:16:57 +0000

 Module Name:	src
 Committed By:	drochner
 Date:		Fri Feb 12 21:16:56 UTC 2010

 Modified Files:
 	src/dist/libpcap: pf.h

 Log Message:
 sync with rev. 1.5 of sys/dist/pf/net/if_pflog.h (which was before
 the 5.x branch), to make filter expressions in pflog dumps work again,
 from Lucio Albornoz per PR bin/42780
 (pullup candidate)


 To generate a diff of this commit:
 cvs rdiff -u -r1.1.1.1 -r1.2 src/dist/libpcap/pf.h

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

State-Changed-From-To: feedback->open
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Fri, 15 Oct 2010 04:46:23 +0000
State-Changed-Why:
Feedback timeout. However, the proposed fix should be pulled up to -5.


>Unformatted:

Home	PR Database Search