I think this will help pflogd sleep better at night...
My understanding of the pcap/bpf timeout is that it will always wait that
long, even if packets are received, so that you don't get one read() per
packet. But using this timeout doesn't mean wait forever until you get
something.
We can put a "long" poll() in front of pcap to wait until there are packets
(maybe never if you aren't using pf logging), and then let the timeout work
it's magic.
Index: pflogd.c
===================================================================
RCS file: /cvs/src/sbin/pflogd/pflogd.c,v
retrieving revision 1.51
diff -u -p -r1.51 pflogd.c
--- pflogd.c 7 Feb 2015 02:09:13 -0000 1.51
+++ pflogd.c 22 Sep 2015 00:08:16 -0000
@@ -35,6 +35,8 @@
#include <sys/stat.h>
#include <sys/socket.h>
#include <net/if.h>
+
+#include <poll.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
@@ -575,6 +577,7 @@ main(int argc, char **argv)
int ch, np, ret, Xflag = 0;
pcap_handler phandler = dump_packet;
const char *errstr = NULL;
+ struct pollfd pfd;
ret = 0;
@@ -685,9 +688,16 @@ main(int argc, char **argv)
} else if (Xflag)
return (0);
+ pfd.fd = pcap_get_selectable_fd(hpcap);
+ pfd.events = POLLIN;
while (1) {
- np = pcap_dispatch(hpcap, PCAP_NUM_PKTS,
- phandler, (u_char *)dpcap);
+ np = 0;
+ if (poll(&pfd, 1, INFTIM) == 1) {
+ np = pcap_dispatch(hpcap, PCAP_NUM_PKTS,
+ phandler, (u_char *)dpcap);
+ } else if (pfd.revents & (POLLERR|POLLHUP)) {
+ np = -1;
+ }
if (np < 0) {
if (!if_exists(interface)) {
logmsg(LOG_NOTICE, "interface %s went away",
