git: 80c2f5fc0aed - stable/13 - if_pflog: fix packet length
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sun, 12 Dec 2021 18:11:48 UTC
The branch stable/13 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=80c2f5fc0aedda284babe1bffbddb4fc29314ff0 commit 80c2f5fc0aedda284babe1bffbddb4fc29314ff0 Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2021-12-02 07:22:34 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2021-12-11 09:38:50 +0000 if_pflog: fix packet length There were two issues with the new pflog packet length. The first is that the length is expected to be a multiple of sizeof(long), but we'd assumed it had to be a multiple of sizeof(uint32_t). The second is that there's some broken software out there (such as Wireshark) that makes incorrect assumptions about the amount of padding. That is, Wireshark assumes there's always three bytes of padding, rather than however much is needed to get to a multiple of sizeof(long). Fix this by adding extra padding, and a fake field to maintain Wireshark's assumption. Reported by: Ozkan KIRIK <ozkan.kirik@gmail.com> Tested by: Ozkan KIRIK <ozkan.kirik@gmail.com> MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D33236 (cherry picked from commit 6d4baa0d011cb3e78b4b08415568e71c0aab00fe) --- sys/net/if_pflog.h | 8 ++++++-- sys/netpfil/pf/if_pflog.c | 2 +- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/sys/net/if_pflog.h b/sys/net/if_pflog.h index c77d8da1440a..93a69a2bb3a5 100644 --- a/sys/net/if_pflog.h +++ b/sys/net/if_pflog.h @@ -31,6 +31,8 @@ #ifndef _NET_IF_PFLOG_H_ #define _NET_IF_PFLOG_H_ +#include <net/bpf.h> + #define PFLOGIFS_MAX 16 #define PFLOG_RULESET_NAME_SIZE 16 @@ -51,11 +53,13 @@ struct pfloghdr { u_int8_t dir; u_int8_t pad[3]; u_int32_t ridentifier; + u_int8_t reserve; /* Appease broken software like Wireshark. */ + u_int8_t pad2[3]; }; -#define PFLOG_HDRLEN sizeof(struct pfloghdr) +#define PFLOG_HDRLEN BPF_WORDALIGN(offsetof(struct pfloghdr, pad2)) /* minus pad, also used as a signature */ -#define PFLOG_REAL_HDRLEN offsetof(struct pfloghdr, pad) +#define PFLOG_REAL_HDRLEN offsetof(struct pfloghdr, pad2) #ifdef _KERNEL struct pf_rule; diff --git a/sys/netpfil/pf/if_pflog.c b/sys/netpfil/pf/if_pflog.c index 4853c1301d6f..261c9f2a4087 100644 --- a/sys/netpfil/pf/if_pflog.c +++ b/sys/netpfil/pf/if_pflog.c @@ -215,7 +215,7 @@ pflog_packet(struct pfi_kkif *kif, struct mbuf *m, sa_family_t af, u_int8_t dir, return (0); bzero(&hdr, sizeof(hdr)); - hdr.length = PFLOG_HDRLEN; + hdr.length = PFLOG_REAL_HDRLEN; hdr.af = af; hdr.action = rm->action; hdr.reason = reason;