From nobody@FreeBSD.org  Sun Aug 29 09:46:11 2004
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 84BEC16A4CE
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 29 Aug 2004 09:46:11 +0000 (GMT)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 7C6A343D5A
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 29 Aug 2004 09:46:11 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.12.11/8.12.11) with ESMTP id i7T9kBT2058089
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 29 Aug 2004 09:46:11 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.12.11/8.12.11/Submit) id i7T9kBgw058088;
	Sun, 29 Aug 2004 09:46:11 GMT
	(envelope-from nobody)
Message-Id: <200408290946.i7T9kBgw058088@www.freebsd.org>
Date: Sun, 29 Aug 2004 09:46:11 GMT
From: Ville-Pertti Keinonen <will@iki.fi>
To: freebsd-gnats-submit@FreeBSD.org
Subject: pflogd doesn't write valid pcap savefiles on 64-bit architectures
X-Send-Pr-Version: www-2.3

>Number:         71096
>Category:       bin
>Synopsis:       pflogd doesn't write valid pcap savefiles on 64-bit architectures
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    mlaier
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Aug 29 09:50:08 GMT 2004
>Closed-Date:    Tue Aug 31 18:06:19 GMT 2004
>Last-Modified:  Tue Aug 31 18:06:19 GMT 2004
>Originator:     Ville-Pertti Keinonen
>Release:        6.0-current
>Organization:
>Environment:
FreeBSD [hostname] 6.0-CURRENT FreeBSD 6.0-CURRENT #0: Sun Aug 29 11:59:34 EEST 2004     root@[hostname]:/usr/obj/usr/src/sys/CRASH  amd64

>Description:
pflogd is storing instances of struct pcap_pkthdr where it should be storing instances of struct pcap_sf_pkthdr.  On 64-bit architectures, this includes native-sized struct timevals, causing programs that read pcap savefiles (tcpdump, ethereal) to be unable to read /var/log/pflog.

Additionally, /etc/rc.d/pflog is broken, as it tries to load a kernel module called pflog, but the functionality is present in a module called pf.

>How-To-Repeat:
See full description.

>Fix:
http://will.iki.fi/patches/pflogd.diff

s/kldload pflog/kldload pf/ in /etc/rc.d/pflog

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->mlaier 
Responsible-Changed-By: simon 
Responsible-Changed-When: Sun Aug 29 10:32:55 GMT 2004 
Responsible-Changed-Why:  
Over to pf maintainer. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=71096 

From: Max Laier <max@love2party.net>
To: freebsd-gnats-submit@FreeBSD.org, will@iki.fi
Cc:  
Subject: Re: bin/71096: pflogd doesn't write valid pcap savefiles on 64-bit architectures
Date: Mon, 30 Aug 2004 03:25:57 +0200

 Mike Frantzen from OpenBSD tells me that this was fixed in OpenBSD with a 
 fixed size time type for bpf (in the kernel). I'll look into that some more, 
 but will likely commit your userland change in the coming days. In order to 
 make RELENG_5 ... the kernel quirk is certainly CURRENT_6 material (if at 
 all).
 
 Thanks for the reports and patch!
 
 In case anybody is looking at this, I'd appreciate test reports on various 
 archs! TIA
 
 --
  Max
State-Changed-From-To: open->feedback 
State-Changed-By: mlaier 
State-Changed-When: Mon Aug 30 20:59:54 GMT 2004 
State-Changed-Why:  
Commitable patch at: 
http://people.freebsd.org/~mlaier/pflogd.diff (slightly face-lifted) 
for testing. 

Concering the kldload issue: I think this is wrong. kldxref does take care of 
translating pflog into pf.ko if you have a broken kldxref kldload will fail 
anyway. Or is there an issue with kldxref on non-i386 I am not aware of? 

Thanks. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=71096 
State-Changed-From-To: feedback->closed 
State-Changed-By: mlaier 
State-Changed-When: Tue Aug 31 18:05:48 GMT 2004 
State-Changed-Why:  
Committed, thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=71096 
>Unformatted:
