This patch fixes two issues with the IPFW DAQ module that's used by
Snort inline:
1. The ipfw_daq_inject() function ignores the buf and len arguments
that are passed to it, causing packet injection to fail.
Here's the actual function:
static int ipfw_daq_inject (
void* handle, const DAQ_PktHdr_t* hdr, const uint8_t* buf, uint32_t len,
int reverse)
{
IpfwImpl* impl = (IpfwImpl*)handle;
int status = ipfw_daq_forward(impl, hdr, impl->buf, hdr->pktlen, 0);
if ( status == DAQ_SUCCESS )
impl->stats.packets_injected++;
return status;
}
Note how the buf and len arguments are totally ignored. The
ipfw_daq_inject() function is called when Snort tries to inject a
crafted packet (represented by the buf and len arguments). For example,
it is used to inject a TCP RST packet to terminate a TCP connection in
response to a Snort reject rule. So when the arguments are ignored,
packet injection fails.
2. Snort currently cannot run as an unprivileged user when in inline mode.
For example:
# /usr/local/bin/snort -Q -k none --daq ipfw --daq-var port=800 \
-c /etc/snort/snort.conf -u _snort -g _snort -t /var/snort -l /var/snort/log
....
Commencing packet processing (pid=2524)
Decoding Raw IP4
ERROR: Can't start DAQ (-1) - ipfw_daq_start: can't create divert socket
(Permission denied)
!
Fatal Error, Quitting..
The attached diff fixes both issues; the patches have been sent upstream
separately:
http://marc.info/?l=snort-devel&m=136185602610571&w=2
http://marc.info/?l=snort-devel&m=136254358118711&w=2
Comments? OK?
Index: Makefile
===================================================================
RCS file: /cvs/ports/net/daq/Makefile,v
retrieving revision 1.6
diff -u -p -r1.6 Makefile
--- Makefile 21 Mar 2013 08:46:34 -0000 1.6
+++ Makefile 31 May 2013 21:22:49 -0000
@@ -3,7 +3,7 @@
COMMENT = data acquisition library for snort
DISTNAME = daq-2.0.0
-REVISION = 0
+REVISION = 1
SHARED_LIBS += daq 1.0 # 2.0
SHARED_LIBS += sfbpf 0.0 # 0.1
Index: patches/patch-os-daq-modules_daq_ipfw_c
===================================================================
RCS file: patches/patch-os-daq-modules_daq_ipfw_c
diff -N patches/patch-os-daq-modules_daq_ipfw_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-os-daq-modules_daq_ipfw_c 31 May 2013 21:44:58 -0000
@@ -0,0 +1,33 @@
+$OpenBSD$
+
+This patch fixes two issues in the IPFW DAQ module that is used by
+Snort in inline mode (both fixes have been sent upstream):
+
+1. Fixes a bug where ipfw_daq_inject() ignores the buf and len
+ arguments that are passed to it, causing packet injections to fail
+ http://marc.info/?l=snort-devel&m=136185602610571&w=2
+
+2. Removes DAQ_CAPA_UNPRIV_START from the list of capabilities so that
+ Snort can run as an unprivileged user in inline mode
+ http://marc.info/?l=snort-devel&m=136254358118711&w=2
+
+--- os-daq-modules/daq_ipfw.c.orig Thu Sep 6 11:17:26 2012
++++ os-daq-modules/daq_ipfw.c Fri May 31 17:26:38 2013
+@@ -256,7 +256,7 @@ static int ipfw_daq_inject (
+ int reverse)
+ {
+ IpfwImpl* impl = (IpfwImpl*)handle;
+- int status = ipfw_daq_forward(impl, hdr, impl->buf, hdr->pktlen, 0);
++ int status = ipfw_daq_forward(impl, hdr, buf, len, 0);
+
+ if ( status == DAQ_SUCCESS )
+ impl->stats.packets_injected++;
+@@ -397,7 +397,7 @@ static int ipfw_daq_get_snaplen (void* handle)
+ static uint32_t ipfw_daq_get_capabilities (void* handle)
+ {
+ return DAQ_CAPA_BLOCK | DAQ_CAPA_REPLACE | DAQ_CAPA_INJECT |
DAQ_CAPA_INJECT_RAW
+- | DAQ_CAPA_BREAKLOOP | DAQ_CAPA_UNPRIV_START | DAQ_CAPA_BPF;
++ | DAQ_CAPA_BREAKLOOP | DAQ_CAPA_BPF;
+ }
+
+ static int ipfw_daq_get_datalink_type(void *handle)
