[Bug 283799] tcpdump (14.2+) endian-swaps uid when parsing pflog data

In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 283799] tcpdump (14.2+) endian-swaps uid when parsing pflog data"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Thu, 02 Jan 2025 22:10:29 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=283799

Joseph Mingrone <jrm@freebsd.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |kp@freebsd.org

--- Comment #2 from Joseph Mingrone <jrm@freebsd.org> ---
[CC: kp@FreeSBD.org who has a better understanding of pf.]

Hello, and thank you for reporting.

hdr->uid is now defined as nd_uint32_t in contrib/tcpdump/pflog.h [0], so I
/thought/ we needed GET_BE_U_4.  The equivalent upstream code (which has
unfortunately diverged from ours) also uses GET_BE_U_4 when printing the uid
[1].

I'm not a pf user, so I'm not clear on the expected output before and after
this change.  This is what I see now:

% id -u
1001

% sudo service pf start
Enabling pf.

% sudo service pflog start
Starting pflog.

% cat /etc/pf.conf
if="em0"
block out log on $if inet proto icmp all

% ping google.com # (in another vt)

% sudo tcpdump -n -e -ttt -i pflog0
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), snapshot length
262144 bytes
 00:00:00.000000 rule 0/0(match) [uid 0]: block out on em0: 192.168.2.2 >
142.250.80.46: ICMP echo request, id 40305, seq 0, length 64

Could you share a recipe to demonstrate the problem?

--

[0]
https://github.com/freebsd/freebsd-src/blob/main/contrib/tcpdump/pflog.h#L118-L151
[1]
https://github.com/the-tcpdump-group/tcpdump/blob/master/print-pflog.c#L424-L432

-- 
You are receiving this mail because:
You are the assignee for the bug.