Re: bpf(4) bypassing pfil(9)?

To: Timo Buhrmester <fstd.lkml%gmail.com@localhost>
Subject: Re: bpf(4) bypassing pfil(9)?
From: Greg Troxel <gdt%lexort.com@localhost>
Date: Thu, 14 Feb 2019 15:23:07 -0500

Timo Buhrmester <fstd.lkml%gmail.com@localhost> writes:

> Using a bpf network tap (like dhcpd does), packets injected or
> received on it effectively bypass pfil(9).  I noticed it by using npf
> to block DHCP traffic from a particular network, only to find out that
> hosts on that network are still able to get DHCP leases.
>
> pfil(9) sees the inbound packets and they're correctly discarded by
> npf, but it seems the bpf interface receives a copy anyway.  Outbound
> packets are never passed through pfil at all.
>
> Is this the way things are supposed to be?  I feel that packets
> received/injected no a bpf interface should still be subject to packet
> filtering.

I think the behavior your are seeing is correct..  bpf is fundamentally
a debugging tool for privileged users.  It happens at the network
interface, not higher up in the network stack.  Basically the pseudcode
is:

   somehow get notified of a packet and get it in ram
   call bpf_mtap
   send the packet via the input routine

then later, filtering is applied.

It's not clear to me how adding filtering to bpf would work, but if so
it IMHO should be opt-in by the process that opens bpf.

There is probably a residual question about filtering strategy for
things that use bpf to bypass the networking stack for various reasons.

References:
- bpf(4) bypassing pfil(9)?
  - From: Timo Buhrmester

Prev by Date: bpf(4) bypassing pfil(9)?
Next by Date: Re: kern/53962: npf: weird 'stateful' behavior
Previous by Thread: bpf(4) bypassing pfil(9)?
Indexes:

Home | Main Index | Thread Index | Old Index