Date: Thu, 16 Sep 2004 04:00:05 -0000 From: Pyun YongHyeon <yongari@kt-is.co.kr> To: pf4freebsd@freelists.org Subject: [pf4freebsd] Re: problem with 'user' Message-ID: <20040131054309.GA37208@kt-is.co.kr> In-Reply-To: <20040130123456.GA773@fried.sakeos.net> References: <20040130123456.GA773@fried.sakeos.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Jan 30, 2004 at 01:34:56PM +0100, jb wrote:
> Hi,
>=20
> I'm playing with pf on a FreeBSD 5.2 fresh install on i386 and I'm=20
> experimenting some problems with the following simplified pf.conf on=20
> my FreeBSD box, it works as I expect on an OpenBSD 3.4 box - plan is t=
o=20
> allow local user 'jibe' to do dns queries. =20
>=20
> My DNS is 10.0.0.2, i my box is 10.0.0.8, my nic is sis0 (more config =
at
> the bottom of this message).
>=20
> block in log all
> block out log all
> pass in on lo0 all
> pass out on lo0 all
>=20
> pass out log proto udp from any to any port domain user jibe keep s=
tate
>=20
> from the command line, "dig openbsd.org" (say), results in the followi=
ng
> in pflog0 (output of pftcpdump -n -e -ttt -i pflog0 )
>=20
> 000000 rule 1/0(match): block out on sis0: 10.0.0.8.49240 > 10.0.0.2.5=
3: 13228+[|domain]
> 000402 rule 1/0(match): block out on sis0: 10.0.0.8.49242 > 10.0.0.2.5=
3: 13228+[|domain]
>=20
> now, changing 'jibe' for 'unknown' in the configuration file:
>=20
> block in log all
> block out log all
> pass in on lo0 all
> pass out on lo0 all
>=20
> pass out log proto udp from any to any port domain user unknown kee=
p state
>=20
> dig works and pftcpdump output is:
>=20
> 100. 942731 rule 4/0(match): pass out on sis0: 10.0.0.8.49244 > 10.0.0=
.2.53: 53585+[|domain]
>=20
> The difference between the OpenBSD and FreeBSD pf results make me thin=
g this
> is a misbehavior, but it's not like I'm clued about networking and fir=
ewalls.
> Can others reproduce this or it is the result of my own confusion ?
>=20
> thanks for your work, it is really nice to be able to use pf on FreeBS=
D.
> thsnks in advance for your help.
> jb
>=20
Thank you for your report.
Can you try this patch? (Copy attached file to
/usr/ports/security/pf/files directory and build.)
Working/failure reports are very appreciated.
--- pf/pf.c.orig Tue Jan 6 15:05:35 2004
+++ pf/pf.c Sat Jan 31 14:33:47 2004
@@ -2153,11 +2153,11 @@
struct pf_addr *saddr, *daddr;
u_int16_t sport, dport;
#if defined(__FreeBSD__)
- struct inpcb *inp;
+ struct inpcbinfo *pi;
#else
struct inpcbtable *tb;
- struct inpcb *inp;
#endif
+ struct inpcb *inp;
=20
*uid =3D UID_MAX;
*gid =3D GID_MAX;
@@ -2165,14 +2165,18 @@
case IPPROTO_TCP:
sport =3D pd->hdr.tcp->th_sport;
dport =3D pd->hdr.tcp->th_dport;
-#if !defined(__FreeBSD__)
+#if defined(__FreeBSD__)
+ pi =3D &tcbinfo;
+#else
tb =3D &tcbtable;
#endif
break;
case IPPROTO_UDP:
sport =3D pd->hdr.udp->uh_sport;
dport =3D pd->hdr.udp->uh_dport;
-#if !defined(__FreeBSD__)
+#if defined(__FreeBSD__)
+ pi =3D &udbinfo;
+#else
tb =3D &udbtable;
#endif
break;
@@ -2195,16 +2199,16 @@
case AF_INET:
#if defined(__FreeBSD__)
#if (__FreeBSD_version >=3D 500043)
- INP_INFO_RLOCK(&tcbinfo);
+ INP_INFO_RLOCK(pi); /* XXX LOR */
#endif
- inp =3D in_pcblookup_hash(&tcbinfo, saddr->v4, sport, daddr->v4,
+ inp =3D in_pcblookup_hash(pi, saddr->v4, sport, daddr->v4,
dport, 0, NULL);
if (inp =3D=3D NULL) {
- inp =3D in_pcblookup_hash(&tcbinfo, saddr->v4, sport,
+ inp =3D in_pcblookup_hash(pi, saddr->v4, sport,
daddr->v4, dport, INPLOOKUP_WILDCARD, NULL);
if(inp =3D=3D NULL) {
#if (__FreeBSD_version >=3D 500043)
- INP_INFO_RUNLOCK(&tcbinfo);
+ INP_INFO_RUNLOCK(pi);
#endif
return (0);
}
@@ -2223,16 +2227,16 @@
case AF_INET6:
#if defined(__FreeBSD__)
#if (__FreeBSD_version >=3D 500043)
- INP_INFO_RLOCK(&tcbinfo);
+ INP_INFO_RLOCK(pi);
#endif
- inp =3D in6_pcblookup_hash(&tcbinfo, &saddr->v6, sport,
+ inp =3D in6_pcblookup_hash(pi, &saddr->v6, sport,
&daddr->v6, dport, 0, NULL);
if (inp =3D=3D NULL) {
- inp =3D in6_pcblookup_hash(&tcbinfo, &saddr->v6, sport,
+ inp =3D in6_pcblookup_hash(pi, &saddr->v6, sport,
&daddr->v6, dport, INPLOOKUP_WILDCARD, NULL);
if (inp =3D=3D NULL) {
#if (__FreeBSD_version >=3D 500043)
- INP_INFO_RUNLOCK(&tcbinfo);
+ INP_INFO_RUNLOCK(pi);
#endif
return (0);
}
@@ -2261,7 +2265,7 @@
*gid =3D inp->inp_socket->so_cred->cr_groups[0];
#if (__FreeBSD_version >=3D 500043)
INP_UNLOCK(inp);
- INP_INFO_RUNLOCK(&tcbinfo);
+ INP_INFO_RUNLOCK(pi);
#endif
#else
*uid =3D inp->inp_socket->so_euid;
--=20
Pyun YongHyeon <http://www.kr.freebsd.org/~yongari>;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040131054309.GA37208>