diff options
| author | David Gwynne <dlg@cvs.openbsd.org> | 2019-09-13 01:47:52 +0000 |
|---|---|---|
| committer | David Gwynne <dlg@cvs.openbsd.org> | 2019-09-13 01:47:52 +0000 |
| commit | c556f320e3ddf0db923436485aafa77986d17f9a (patch) | |
| tree | db2c37c1ea1c6dcc5a2f0bcb3bea35a02a006784 /sys/net/if_pflog.c | |
| parent | 2a7637872b5a9aa6aa7aa1b90a5e520db53aebd8 (diff) | |
avoid the use of a custom bpf copy function.
currently pflog prepares a pfloghdr and then passes that, the
original mbuf, and a pflog copy function to bpf. bpf matches on the
original packet, and then if bpf decides it wants the packet it
uses the custom function to copy the packet for userland to read.
the custom function patches the packet so you see the packet after
nat and rdr and af-to and so on. however, this means bpf is matching
on the original packet and reporting a patched packet.
this is also the only use of a custom copy function in the tree,
and it relies on some behaviours that should be internal to bpf to
get away with it.
this pulls the patching up so it's done before the packet is given
to bpf. this simplifies the code a bit, and means bpf is now matching
on and reporting the same packet. removing this custom copy code
also means that we can get rid of that functionality from the
bpf_mtap_hdr function.
ok sashan@ visa@
Diffstat (limited to 'sys/net/if_pflog.c')
| -rw-r--r-- | sys/net/if_pflog.c | 56 |
1 files changed, 17 insertions, 39 deletions
diff --git a/sys/net/if_pflog.c b/sys/net/if_pflog.c index adf36ec3ae2..6c199f00086 100644 --- a/sys/net/if_pflog.c +++ b/sys/net/if_pflog.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_pflog.c,v 1.83 2019/06/13 21:12:52 mpi Exp $ */ +/* $OpenBSD: if_pflog.c,v 1.84 2019/09/13 01:47:51 dlg Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr) and @@ -81,7 +81,7 @@ int pflogioctl(struct ifnet *, u_long, caddr_t); void pflogstart(struct ifnet *); int pflog_clone_create(struct if_clone *, int); int pflog_clone_destroy(struct ifnet *); -void pflog_bpfcopy(const void *, void *, size_t); +void pflog_mtap(caddr_t, struct pfloghdr *, struct mbuf *); struct if_clone pflog_cloner = IF_CLONE_INITIALIZER("pflog", pflog_clone_create, pflog_clone_destroy); @@ -226,6 +226,7 @@ pflog_packet(struct pf_pdesc *pd, u_int8_t reason, struct pf_rule *rm, { #if NBPFILTER > 0 struct ifnet *ifn; + caddr_t if_bpf; struct pfloghdr hdr; if (rm == NULL || pd == NULL || pd->kif == NULL || pd->m == NULL) @@ -233,8 +234,13 @@ pflog_packet(struct pf_pdesc *pd, u_int8_t reason, struct pf_rule *rm, if (trigger == NULL) trigger = rm; - if (trigger->logif >= npflogifs || (ifn = pflogifs[trigger->logif]) == - NULL || !ifn->if_bpf) + if (trigger->logif >= npflogifs) + return (0); + ifn = pflogifs[trigger->logif]; + if (ifn == NULL) + return (0); + if_bpf = ifn->if_bpf; + if (!if_bpf) return (0); bzero(&hdr, sizeof(hdr)); @@ -276,52 +282,28 @@ pflog_packet(struct pf_pdesc *pd, u_int8_t reason, struct pf_rule *rm, ifn->if_opackets++; ifn->if_obytes += pd->m->m_pkthdr.len; - bpf_mtap_hdr(ifn->if_bpf, (caddr_t)&hdr, PFLOG_HDRLEN, pd->m, - BPF_DIRECTION_OUT, pflog_bpfcopy); + pflog_mtap(if_bpf, &hdr, pd->m); #endif return (0); } void -pflog_bpfcopy(const void *src_arg, void *dst_arg, size_t len) +pflog_mtap(caddr_t if_bpf, struct pfloghdr *pfloghdr, struct mbuf *m) { - struct mbuf *m, *mp, *mhdr, *mptr; - struct pfloghdr *pfloghdr; - u_int count; - u_char *dst, *mdst; - int afto, hlen, mlen, off; + struct mbuf *mp, *mhdr, *mptr; + u_char *mdst; + int afto, hlen, off; struct pf_pdesc pd; struct pf_addr osaddr, odaddr; u_int16_t osport = 0, odport = 0; u_int8_t proto = 0; - m = (struct mbuf *)src_arg; - dst = dst_arg; - mhdr = pflog_mhdr; mptr = pflog_mptr; - if (m == NULL) - panic("pflog_bpfcopy got no mbuf"); - - /* first mbuf holds struct pfloghdr */ - pfloghdr = mtod(m, struct pfloghdr *); afto = pfloghdr->af != pfloghdr->naf; - count = min(m->m_len, len); - bcopy(pfloghdr, dst, count); - pfloghdr = (struct pfloghdr *)dst; - dst += count; - len -= count; - m = m->m_next; - - if (len <= 0) - return; - - /* second mbuf is pkthdr */ - if (m == NULL) - panic("no second mbuf"); /* * temporary mbuf will hold an ip/ip6 header and 8 bytes @@ -426,7 +408,6 @@ pflog_bpfcopy(const void *src_arg, void *dst_arg, size_t len) pfloghdr->dport = odport; } - pd.tot_len = min(pd.tot_len, len); pd.tot_len -= pd.m->m_data - pd.m->m_pktdat; #ifdef INET6 @@ -436,9 +417,6 @@ pflog_bpfcopy(const void *src_arg, void *dst_arg, size_t len) m = pd.m; copy: - mlen = min(m->m_pkthdr.len, len); - m_copydata(m, 0, mlen, dst); - len -= mlen; - if (len > 0) - bzero(dst + mlen, len); + bpf_mtap_hdr(if_bpf, pfloghdr, sizeof(*pfloghdr), m, + BPF_DIRECTION_OUT, NULL); } |