On Tue, Jul 16, 2013 at 04:56:34PM -0400, Adam Jeanguenat wrote: > On 2013-07-11 at 22:33:48 -0400, Lawrence Teo wrote: > > On Fri, May 31, 2013 at 07:41:21PM -0400, Lawrence Teo wrote: > > > This patch fixes two issues with the IPFW DAQ module that's used by > > > Snort inline: > > > > I would really like to commit these two DAQ fixes so that they can be > > included on time for the 5.4 release. These fixes are needed for Snort > > to run properly in inline mode. > > > > To recap, this diff fixes two issues: > > > > 1. Snort inline does not drop/reject packets > > 2. Snort inline cannot run as an unprivileged user > > > > Since not many people are familiar with Snort inline on OpenBSD, I have > > included my test procedure below for anyone who would like to replicate > > my tests. > > > > Comments? OK? > > > > Thanks, > > Lawrence > > I just finished applying the patch and following your test procedure on > an i386 -current system updated today; I can confirm everything works > exactly as described. > > Great finds. > > --avj
Thank you for testing, Adam! Assuming no objections, I would like to commit this sometime at the end of this week. OK's are definitely welcome too. :) Lawrence Index: Makefile =================================================================== RCS file: /cvs/ports/net/daq/Makefile,v retrieving revision 1.6 diff -u -p -r1.6 Makefile --- Makefile 21 Mar 2013 08:46:34 -0000 1.6 +++ Makefile 31 May 2013 21:22:49 -0000 @@ -3,7 +3,7 @@ COMMENT = data acquisition library for snort DISTNAME = daq-2.0.0 -REVISION = 0 +REVISION = 1 SHARED_LIBS += daq 1.0 # 2.0 SHARED_LIBS += sfbpf 0.0 # 0.1 Index: patches/patch-os-daq-modules_daq_ipfw_c =================================================================== RCS file: patches/patch-os-daq-modules_daq_ipfw_c diff -N patches/patch-os-daq-modules_daq_ipfw_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-os-daq-modules_daq_ipfw_c 31 May 2013 21:44:58 -0000 @@ -0,0 +1,33 @@ +$OpenBSD$ + +This patch fixes two issues in the IPFW DAQ module that is used by +Snort in inline mode (both fixes have been sent upstream): + +1. Fixes a bug where ipfw_daq_inject() ignores the buf and len + arguments that are passed to it, causing packet injections to fail + http://marc.info/?l=snort-devel&m=136185602610571&w=2 + +2. Removes DAQ_CAPA_UNPRIV_START from the list of capabilities so that + Snort can run as an unprivileged user in inline mode + http://marc.info/?l=snort-devel&m=136254358118711&w=2 + +--- os-daq-modules/daq_ipfw.c.orig Thu Sep 6 11:17:26 2012 ++++ os-daq-modules/daq_ipfw.c Fri May 31 17:26:38 2013 +@@ -256,7 +256,7 @@ static int ipfw_daq_inject ( + int reverse) + { + IpfwImpl* impl = (IpfwImpl*)handle; +- int status = ipfw_daq_forward(impl, hdr, impl->buf, hdr->pktlen, 0); ++ int status = ipfw_daq_forward(impl, hdr, buf, len, 0); + + if ( status == DAQ_SUCCESS ) + impl->stats.packets_injected++; +@@ -397,7 +397,7 @@ static int ipfw_daq_get_snaplen (void* handle) + static uint32_t ipfw_daq_get_capabilities (void* handle) + { + return DAQ_CAPA_BLOCK | DAQ_CAPA_REPLACE | DAQ_CAPA_INJECT | DAQ_CAPA_INJECT_RAW +- | DAQ_CAPA_BREAKLOOP | DAQ_CAPA_UNPRIV_START | DAQ_CAPA_BPF; ++ | DAQ_CAPA_BREAKLOOP | DAQ_CAPA_BPF; + } + + static int ipfw_daq_get_datalink_type(void *handle)
