Date: Sat, 15 Nov 2003 19:26:31 -0500 (EST) From: "Andrey V. Shytov" <shytov@cmt.harvard.edu> To: FreeBSD-gnats-submit@FreeBSD.org Subject: kern/59314: ipfw: rules with uid are not matched. Message-ID: <200311160026.hAG0QVwY092210@main.wireless.home> Resent-Message-ID: <200311160030.hAG0UMqj037038@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 59314
>Category: kern
>Synopsis: ipfw: rules with uid are not matched.
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sat Nov 15 16:30:22 PST 2003
>Closed-Date:
>Last-Modified:
>Originator: Andrey V. Shytov
>Release: FreeBSD 5.1-CURRENT i386
>Organization:
none
>Environment:
System: FreeBSD main.wireless.home 5.1-CURRENT FreeBSD 5.1-CURRENT #25: Sat Nov 15 17:20:29 EST 2003 root@main.wireless.home:/usr/obj/usr/src/sys/CUSTOM i386
>Description:
IPFW rules containing uid/gid are not matched.
>How-To-Repeat:
As a superuser, add a rule of the form:
ipfw add 1 skipto 2 tcp from any to any dst-port 80 uid squid
(you can change "squid" to any uid on your system, and a port to any
well-known port, so that you can test the rule by sending packets).
Switch to a user specified in the rule:
su squid
Send some packets, e.g.,
telnet somehost 80
and examine the counters:
ipfw show | head
In my case, both byte and packet counters were zero:
00001 0 0 skipto 2 tcp from any to any dst-port 80 uid squid
Thus, the rule was not matched.
>Fix:
I found out that check_uidgid function (ip_fw2.c:1296)
is called incorrectly. It is declared as:
static int
check_uidgid(ipfw_insn_u32 *insn,
int proto, struct ifnet *oif,
struct in_addr dst_ip, u_int16_t dst_port, /* dst before src*/
struct in_addr src_ip, u_int16_t src_port)
but called as (ip_fw2.c:1653):
match = check_uidgid(
(ipfw_insn_u32 *)cmd,
proto, oif,
src_ip, src_port, /* src before dst */
dst_ip, dst_port);
Thus, check_uidgid was called with wrong args. Because of that,
it was impossible to locate the corresponding pcb structure
in the hash table, and the rule was not matched.
The following fix solved the problem:
--- sys/netinet/ip_fw2.c.old Fri Nov 14 16:48:56 2003
+++ sys/netinet/ip_fw2.c Sat Nov 15 18:21:40 2003
@@ -1653,8 +1653,8 @@
match = check_uidgid(
(ipfw_insn_u32 *)cmd,
proto, oif,
- src_ip, src_port,
- dst_ip, dst_port);
+ dst_ip, dst_port,
+ src_ip, src_port);
break;
case O_RECV:
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200311160026.hAG0QVwY092210>