bpf(4) bypassing pfil(9)?

Greg Troxel

2019-02-14 20:23:07 UTC

Post by Timo Buhrmester
Using a bpf network tap (like dhcpd does), packets injected or
received on it effectively bypass pfil(9). I noticed it by using npf
to block DHCP traffic from a particular network, only to find out that
hosts on that network are still able to get DHCP leases.
pfil(9) sees the inbound packets and they're correctly discarded by
npf, but it seems the bpf interface receives a copy anyway. Outbound
packets are never passed through pfil at all.
Is this the way things are supposed to be? I feel that packets
received/injected no a bpf interface should still be subject to packet
filtering.

I think the behavior your are seeing is correct.. bpf is fundamentally
a debugging tool for privileged users. It happens at the network
interface, not higher up in the network stack. Basically the pseudcode
is:

somehow get notified of a packet and get it in ram
call bpf_mtap
send the packet via the input routine

then later, filtering is applied.

It's not clear to me how adding filtering to bpf would work, but if so
it IMHO should be opt-in by the process that opens bpf.

There is probably a residual question about filtering strategy for
things that use bpf to bypass the networking stack for various reasons.

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de