From owner-freebsd-current@FreeBSD.ORG  Fri Jul 27 17:38:01 2007
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: current@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id B75DD16A41F
	for <current@freebsd.org>; Fri, 27 Jul 2007 17:38:01 +0000 (UTC)
	(envelope-from csjp@sub.vaned.net)
Received: from sub.vaned.net (sub.vaned.net [205.200.235.40])
	by mx1.freebsd.org (Postfix) with ESMTP id 8173F13C4A6
	for <current@freebsd.org>; Fri, 27 Jul 2007 17:38:01 +0000 (UTC)
	(envelope-from csjp@sub.vaned.net)
Received: by sub.vaned.net (Postfix, from userid 1001)
	id A8C165C36; Fri, 27 Jul 2007 12:20:53 -0500 (CDT)
Date: Fri, 27 Jul 2007 12:20:53 -0500
From: "Christian S.J. Peron" <csjp@FreeBSD.org>
To: Christian Peron <cperon@seccuris.com>
Message-ID: <20070727172053.GA49562@sub>
References: <12A5576E06117043AB644E4A998703B7C1F877@Exc01.seccuris.local>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <12A5576E06117043AB644E4A998703B7C1F877@Exc01.seccuris.local>
User-Agent: Mutt/1.4.2.2i
Cc: current@freebsd.org
Subject: Re: Removing NET_NEEDS_GIANT: first patch
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Jul 2007 17:38:01 -0000

Robert,

Just thought of a couple things:

[..]
> 
> Index: ip_divert.c
> ===================================================================
> RCS file: /data/fbsd-cvs/ncvs/src/sys/netinet/ip_divert.c,v
> retrieving revision 1.128
> diff -u -r1.128 ip_divert.c
> --- ip_divert.c	11 May 2007 10:20:50 -0000	1.128
> +++ ip_divert.c	27 Jul 2007 14:25:09 -0000
> @@ -61,6 +61,7 @@
>   #include <vm/uma.h>
> 
>   #include <net/if.h>
> +#include <net/netisr.h>
>   #include <net/route.h>
> 
>   #include <netinet/in.h>
> @@ -378,7 +379,7 @@
>   				    ((so->so_options & SO_DONTROUTE) ?
>   				    IP_ROUTETOIF : 0) |
>   				    IP_ALLOWBROADCAST | IP_RAWOUTPUT,
> -				    inp->inp_moptions, NULL);
> +				    inp->inp_moptions, inp);

Here we are passing the inp associated with the divert socket.  I am not
sure how accurate this is, since it's quite possible that the packet could
belong to another TCP/UDP socket owned by a completely different user and
socket for that matter.

This will result in the firewalls attributing the packet to the user of
whoever created the divert socket (probably root), instead of attributing
the packet to the subject who created the original TCP/UDP socket.

-- 
Christian S.J. Peron
csjp@FreeBSD.ORG
FreeBSD Committer