From owner-freebsd-pf@FreeBSD.ORG  Thu Sep 16 04:00:05 2004
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 674)
	id 57D2016A4CE; Thu, 16 Sep 2004 04:00:05 +0000 (GMT)
Delivered-To: mlaier@vampire.homelinux.org
Received: (qmail 78789 invoked by uid 1005); 31 Jan 2004 05:48:33 -0000
Delivered-To: max@vampire.homelinux.org
Received: (qmail 78786 invoked from network); 31 Jan 2004 05:48:33 -0000
Received: from moutng.kundenserver.de (212.227.126.189)
  by p50839ea4.dip.t-dialin.net with SMTP; 31 Jan 2004 05:48:33 -0000
Received: from [212.227.126.212] (helo=mxng16.kundenserver.de)
	by moutng.kundenserver.de with esmtp (Exim 3.35 #1)
	id 1AmnvS-000259-00
	for max@vampire.homelinux.org; Sat, 31 Jan 2004 06:44:14 +0100
Received: from [206.53.239.180] (helo=turing.freelists.org)
	by mxng16.kundenserver.de with esmtp (Exim 3.35 #1)
	id 1AmnvR-0008Ta-00
	for max@love2party.net; Sat, 31 Jan 2004 06:44:13 +0100
Received: from turing (localhost [127.0.0.1])ESMTP
	id 9AB3C394F02; Sat, 31 Jan 2004 00:37:52 -0500 (EST)
Received: with ECARTIS (v1.0.0; list pf4freebsd);
	Sat, 31 Jan 2004 00:37:40 -0500 (EST)
X-Original-To: pf4freebsd@freelists.org
Delivered-To: pf4freebsd@freelists.org
Received: from ns.kt-is.co.kr (ns.kt-is.co.kr [211.218.149.125])
	ESMTP id 42FDB394D8B
	for <pf4freebsd@freelists.org>; Sat, 31 Jan 2004 00:37:38 -0500 (EST)
Received: from michelle.kt-is.co.kr (ns2.kt-is.co.kr [220.76.118.193])
	(authenticated bits=128)
	by ns.kt-is.co.kr (8.12.10/8.12.10) with ESMTP id i0V5bqAh002502
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL)
	for <pf4freebsd@freelists.org>; Sat, 31 Jan 2004 14:37:53 +0900 (KST)
Received: from michelle.kt-is.co.kr (localhost.kt-is.co.kr [127.0.0.1])
	by michelle.kt-is.co.kr (8.12.10/8.12.10) with ESMTP id i0V5h945037584
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
	for <pf4freebsd@freelists.org>; Sat, 31 Jan 2004 14:43:09 +0900 (KST)
	(envelope-from yongari@kt-is.co.kr)
Received: (from yongari@localhost)
	by michelle.kt-is.co.kr (8.12.10/8.12.10/Submit) id i0V5h9jT037583
	for pf4freebsd@freelists.org; Sat, 31 Jan 2004 14:43:09 +0900 (KST)
	(envelope-from yongari@kt-is.co.kr)
From: Pyun YongHyeon <yongari@kt-is.co.kr>
To: pf4freebsd@freelists.org
Message-ID: <20040131054309.GA37208@kt-is.co.kr>
References: <20040130123456.GA773@fried.sakeos.net>
Mime-Version: 1.0
Content-type: text/plain;
  charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20040130123456.GA773@fried.sakeos.net>
User-Agent: Mutt/1.4.1i
X-Filter-Version: 1.11a (ns.kt-is.co.kr)
X-archive-position: 258
X-ecartis-version: Ecartis v1.0.0
Sender: pf4freebsd-bounce@freelists.org
Errors-To: pf4freebsd-bounce@freelists.org
X-original-sender: yongari@kt-is.co.kr
Precedence: normal
X-list: pf4freebsd
Content-Transfer-Encoding: quoted-printable
X-Provags-Forward: max@love2party.net -> max@vampire.homelinux.org
X-UID: 376
X-Length: 7607
X-Mailman-Approved-At: Thu, 16 Sep 2004 04:00:59 +0000
Subject: [pf4freebsd] Re: problem with 'user'
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.1
Reply-To: pf4freebsd@freelists.org
List-Id: Technical discussion and general questions about packet filter (pf)
	<freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
Date: Thu, 16 Sep 2004 04:00:05 -0000
X-Original-Date: Sat, 31 Jan 2004 14:43:09 +0900
X-List-Received-Date: Thu, 16 Sep 2004 04:00:05 -0000

On Fri, Jan 30, 2004 at 01:34:56PM +0100, jb wrote:
 > Hi,
 >=20
 > I'm playing with pf on a FreeBSD 5.2 fresh install on i386 and I'm=20
 > experimenting some problems with the following simplified pf.conf on=20
 > my FreeBSD box, it works as I expect on an OpenBSD 3.4 box - plan is t=
o=20
 > allow local user 'jibe' to do dns queries. =20
 >=20
 > My DNS is 10.0.0.2, i my box is 10.0.0.8, my nic is sis0 (more config =
at
 > the bottom of this message).
 >=20
 >    block in log all
 >    block out log all
 >    pass in on lo0 all
 >    pass out on lo0 all
 >=20
 >    pass out log proto udp from any to any port domain user jibe keep s=
tate
 >=20
 > from the command line, "dig openbsd.org" (say), results in the followi=
ng
 > in pflog0 (output of pftcpdump -n -e -ttt -i pflog0 )
 >=20
 > 000000 rule 1/0(match): block out on sis0: 10.0.0.8.49240 > 10.0.0.2.5=
3:  13228+[|domain]
 > 000402 rule 1/0(match): block out on sis0: 10.0.0.8.49242 > 10.0.0.2.5=
3:  13228+[|domain]
 >=20
 > now, changing 'jibe' for 'unknown' in the configuration file:
 >=20
 >    block in log all
 >    block out log all
 >    pass in on lo0 all
 >    pass out on lo0 all
 >=20
 >    pass out log proto udp from any to any port domain user unknown kee=
p state
 >=20
 > dig works and pftcpdump output is:
 >=20
 > 100. 942731 rule 4/0(match): pass out on sis0: 10.0.0.8.49244 > 10.0.0=
.2.53:  53585+[|domain]
 >=20
 > The difference between the OpenBSD and FreeBSD pf results make me thin=
g this
 > is a misbehavior, but it's not like I'm clued about networking and fir=
ewalls.
 > Can others reproduce this or it is the result of my own confusion ?
 >=20
 > thanks for your work, it is really nice to be able to use pf on FreeBS=
D.
 > thsnks in advance for your help.
 > jb
 >=20
Thank you for your report.
Can you try this patch? (Copy attached file to
/usr/ports/security/pf/files directory and build.)
Working/failure reports are very appreciated.

--- pf/pf.c.orig	Tue Jan  6 15:05:35 2004
+++ pf/pf.c	Sat Jan 31 14:33:47 2004
@@ -2153,11 +2153,11 @@
 	struct pf_addr		*saddr, *daddr;
 	u_int16_t		 sport, dport;
 #if defined(__FreeBSD__)
-	struct inpcb *inp;
+	struct inpcbinfo 	*pi;
 #else
 	struct inpcbtable	*tb;
-	struct inpcb		*inp;
 #endif
+	struct inpcb		*inp;
=20
 	*uid =3D UID_MAX;
 	*gid =3D GID_MAX;
@@ -2165,14 +2165,18 @@
 	case IPPROTO_TCP:
 		sport =3D pd->hdr.tcp->th_sport;
 		dport =3D pd->hdr.tcp->th_dport;
-#if !defined(__FreeBSD__)
+#if defined(__FreeBSD__)
+		pi =3D &tcbinfo;
+#else
 		tb =3D &tcbtable;
 #endif
 		break;
 	case IPPROTO_UDP:
 		sport =3D pd->hdr.udp->uh_sport;
 		dport =3D pd->hdr.udp->uh_dport;
-#if !defined(__FreeBSD__)
+#if defined(__FreeBSD__)
+		pi =3D &udbinfo;
+#else
 		tb =3D &udbtable;
 #endif
 		break;
@@ -2195,16 +2199,16 @@
 	case AF_INET:
 #if defined(__FreeBSD__)
 #if (__FreeBSD_version >=3D 500043)
-		INP_INFO_RLOCK(&tcbinfo);
+		INP_INFO_RLOCK(pi);	/* XXX LOR */
 #endif
-		inp =3D in_pcblookup_hash(&tcbinfo, saddr->v4, sport, daddr->v4,
+		inp =3D in_pcblookup_hash(pi, saddr->v4, sport, daddr->v4,
 			dport, 0, NULL);
 		if (inp =3D=3D NULL) {
-			inp =3D in_pcblookup_hash(&tcbinfo, saddr->v4, sport,
+			inp =3D in_pcblookup_hash(pi, saddr->v4, sport,
 			   daddr->v4, dport, INPLOOKUP_WILDCARD, NULL);
 			if(inp =3D=3D NULL) {
 #if (__FreeBSD_version >=3D 500043)
-				INP_INFO_RUNLOCK(&tcbinfo);
+				INP_INFO_RUNLOCK(pi);
 #endif
 				return (0);
 			}
@@ -2223,16 +2227,16 @@
 	case AF_INET6:
 #if defined(__FreeBSD__)
 #if (__FreeBSD_version >=3D 500043)
-		INP_INFO_RLOCK(&tcbinfo);
+		INP_INFO_RLOCK(pi);
 #endif
-		inp =3D in6_pcblookup_hash(&tcbinfo, &saddr->v6, sport,
+		inp =3D in6_pcblookup_hash(pi, &saddr->v6, sport,
 			&daddr->v6, dport, 0, NULL);
 		if (inp =3D=3D NULL) {
-			inp =3D in6_pcblookup_hash(&tcbinfo, &saddr->v6, sport,
+			inp =3D in6_pcblookup_hash(pi, &saddr->v6, sport,
 			&daddr->v6, dport, INPLOOKUP_WILDCARD, NULL);
 			if (inp =3D=3D NULL) {
 #if (__FreeBSD_version >=3D 500043)
-				INP_INFO_RUNLOCK(&tcbinfo);
+				INP_INFO_RUNLOCK(pi);
 #endif
 				return (0);
 			}
@@ -2261,7 +2265,7 @@
 	*gid =3D inp->inp_socket->so_cred->cr_groups[0];
 #if (__FreeBSD_version >=3D 500043)
 	INP_UNLOCK(inp);
-	INP_INFO_RUNLOCK(&tcbinfo);
+	INP_INFO_RUNLOCK(pi);
 #endif
 #else
 	*uid =3D inp->inp_socket->so_euid;
--=20
Pyun YongHyeon <http://www.kr.freebsd.org/~yongari>