[Bug 261566] Padding of DLT_PFLOG packets should be done differently

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=261566

--- Comment #1 from Guy Harris <gharris@sonic.net> ---
Note also that, if you try to read a DLT_PFLOG capture with the OpenBSD struct
pfloghdr, and round the length up to a multiple of 8, you will *NOT* correctly
read it.

Here's version 1.29 of sys/net/if_pflog.h:

   
https://cvsweb.openbsd.org/src/sys/net/if_pflog.h?rev=1.29&content-type=text/x-cvsweb-markup

struct pf_addr is 16 bytes (containing a union big enough to hold either an
IPv4 or an IPv6 address, as per version 1.505 of sys/net/pfvar.h:

   
https://cvsweb.openbsd.org/src/sys/net/pfvar.h?rev=1.505&content-type=text/x-cvsweb-markup

), IFNAMSIZ is 16, sa_family_t is 1 byte, and uid_t and pid_t are both 4 bytes,
for a total of 1+1+1+1+16+16+4+4+4+4+4+4+1+1+1+1+16+16+2+2 = 100 bytes, which
is *not* a multiple of 8, although it *is* a multiple of 4.

The new-style header was introduced in version 1.8:

   
https://cvsweb.openbsd.org/src/sys/net/if_pflog.h?rev=1.8&content-type=text/x-cvsweb-markup

   
https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/net/if_pflog.h.diff?r1=1.7&r2=1.8&f=h

and they got rid of the "PFLOG_REAL_HDRLEN doesn't include the padding to a
4-byte boundary" stuff in version 1.16:

   
https://cvsweb.openbsd.org/src/sys/net/if_pflog.h?rev=1.16&content-type=text/x-cvsweb-markup

   
https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/net/if_pflog.h.diff?r1=1.15&r2=1.16&f=h

-- 
You are receiving this mail because:
You are the assignee for the bug.