[Bug 261566] Padding of DLT_PFLOG packets should be done differently

From: <bugzilla-noreply_at_freebsd.org>
Date: Sun, 30 Jan 2022 08:51:20 UTC

--- Comment #1 from Guy Harris <gharris@sonic.net> ---
Note also that, if you try to read a DLT_PFLOG capture with the OpenBSD struct
pfloghdr, and round the length up to a multiple of 8, you will *NOT* correctly
read it.

Here's version 1.29 of sys/net/if_pflog.h:


struct pf_addr is 16 bytes (containing a union big enough to hold either an
IPv4 or an IPv6 address, as per version 1.505 of sys/net/pfvar.h:


), IFNAMSIZ is 16, sa_family_t is 1 byte, and uid_t and pid_t are both 4 bytes,
for a total of 1+1+1+1+16+16+4+4+4+4+4+4+1+1+1+1+16+16+2+2 = 100 bytes, which
is *not* a multiple of 8, although it *is* a multiple of 4.

The new-style header was introduced in version 1.8:



and they got rid of the "PFLOG_REAL_HDRLEN doesn't include the padding to a
4-byte boundary" stuff in version 1.16:



You are receiving this mail because:
You are the assignee for the bug.