switch pflogd from using a bpf read timeout to a wait timeout.

a bpf read timeout means every read will end after the timeout
expires. because pflogd has a half second read timeout it would sit
in a loop doing reads all the time even if there were no packets
to log.

the wait timeout means that when bpf catches a packet, it will wait
a bit for more packets to arrive before waking up the pending read.

pflogd now sits in the read syscall until packets are actually
available to log.

found by deraadt@ and ktrace
discussed with and ok sashan@

diff --git a/sbin/pflogd/pflogd.c b/sbin/pflogd/pflogd.c
index 2f53ef3..6a7a3cb 100644 (file)
--- a/sbin/pflogd/pflogd.c
+++ b/sbin/pflogd/pflogd.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: pflogd.c,v 1.62 2019/07/25 17:32:33 brynet Exp $      */
+/*     $OpenBSD: pflogd.c,v 1.63 2023/05/09 00:01:59 dlg Exp $ */
 
 /*
  * Copyright (c) 2001 Theo de Raadt
@@ -251,8 +251,8 @@ pflog_read_live(const char *source, int slen, int promisc, int to_ms,
                struct timeval to;
                to.tv_sec = to_ms / 1000;
                to.tv_usec = (to_ms * 1000) % 1000000;
-               if (ioctl(p->fd, BIOCSRTIMEOUT, &to) == -1) {
-                       snprintf(ebuf, PCAP_ERRBUF_SIZE, "BIOCSRTIMEOUT: %s",
+               if (ioctl(p->fd, BIOCSWTIMEOUT, &to) == -1) {
+                       snprintf(ebuf, PCAP_ERRBUF_SIZE, "BIOCSWTIMEOUT: %s",
                            pcap_strerror(errno));
                        goto bad;
                }