tech-net archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: bpf(4) bypassing pfil(9)?
Timo Buhrmester <fstd.lkml%gmail.com@localhost> writes:
> Using a bpf network tap (like dhcpd does), packets injected or
> received on it effectively bypass pfil(9). I noticed it by using npf
> to block DHCP traffic from a particular network, only to find out that
> hosts on that network are still able to get DHCP leases.
>
> pfil(9) sees the inbound packets and they're correctly discarded by
> npf, but it seems the bpf interface receives a copy anyway. Outbound
> packets are never passed through pfil at all.
>
> Is this the way things are supposed to be? I feel that packets
> received/injected no a bpf interface should still be subject to packet
> filtering.
I think the behavior your are seeing is correct.. bpf is fundamentally
a debugging tool for privileged users. It happens at the network
interface, not higher up in the network stack. Basically the pseudcode
is:
somehow get notified of a packet and get it in ram
call bpf_mtap
send the packet via the input routine
then later, filtering is applied.
It's not clear to me how adding filtering to bpf would work, but if so
it IMHO should be opt-in by the process that opens bpf.
There is probably a residual question about filtering strategy for
things that use bpf to bypass the networking stack for various reasons.
Home |
Main Index |
Thread Index |
Old Index