Date: Tue, 2 Jan 2001 14:50:32 +0800 (CST) From: song@cn899.com To: ipfilter@coombs.anu.edu.au Cc: freebsd-net@freebsd.org Subject: IP Filter auth rule Message-ID: <20010102065032.D02E91B5E12@mail.cn899.com>
next in thread | raw e-mail | index | archive | help
Hi, I\'m playing around the auth rule and the sample userauth.c of IP Filter on FreeBSD 4.2-RELEASE and below are some results and questions: 1. There is a typo in ip_auth.c which causes the ioctl(SIOCAUTHW) unable to fetch all the fields of the frauth_t struct. Below is a patch for 4.2-RELEASE stock version 3.4.8: *** /sys/netinet/ip_auth.c Sat Dec 30 22:38:09 2000 --- /sys/netinet/ip_auth.c.orig Sat Dec 30 23:35:33 2000 *************** *** 354,358 **** if ((fr_authnext != fr_authend) && fr_authpkts[fr_authnext]) { error = IWCOPYPTR((char *)&fr_auth[fr_authnext], data, ! sizeof(frauth_t)); RWLOCK_EXIT(&ipf_auth); if (error) --- 354,358 ---- if ((fr_authnext != fr_authend) && fr_authpkts[fr_authnext]) { error = IWCOPYPTR((char *)&fr_auth[fr_authnext], data, ! sizeof(fr_info_t)); RWLOCK_EXIT(&ipf_auth); if (error) 2. userauth.c should open IPAUTH_NAME instead of IPL_NAME for ioctl. Maybe on other platforms it should be IPL_NAME? 3. It seems that \"keep state\" does not work for auth rules. For example, the rule: auth in proto tcp from any to 127.0.0.1/32 port = telnet keep state makes every incoming telnet packet to go through the authentication despite the \"keep state\" option. 4. \"auth out ...\" rule does not work :-(. It makes the system hang for a while and then reboot. 5. auth in IP Filter 3.4.15 does not work in FreeBSD 4.2-RELEASE. The authenticated packets nerver reach the destination even though the variable fr_authstats.fas_queok increase as normal. I built the KLD module as follow: # make freebsd4 # make install-bsd # kldload ipf Any hints? Regards, Song Bo Run To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010102065032.D02E91B5E12>