Skip site navigation (1)Skip section navigation (2) 
Date:      Tue,  2 Jan 2001 14:50:32 +0800 (CST)
From:      song@cn899.com
To:        ipfilter@coombs.anu.edu.au
Cc:        freebsd-net@freebsd.org
Subject:   IP Filter auth rule
Message-ID:  <20010102065032.D02E91B5E12@mail.cn899.com>
next in thread | raw e-mail | index | archive | help 

Hi, I\'m playing around the auth rule and the sample userauth.c of
IP Filter on FreeBSD 4.2-RELEASE and below are some results and 
questions:

1. There is a typo in ip_auth.c which causes the ioctl(SIOCAUTHW) 
   unable to fetch all the fields of the frauth_t struct. Below is
   a patch for 4.2-RELEASE stock version 3.4.8:

*** /sys/netinet/ip_auth.c	Sat Dec 30 22:38:09 2000
--- /sys/netinet/ip_auth.c.orig	Sat Dec 30 23:35:33 2000
***************
*** 354,358 ****
  	if ((fr_authnext != fr_authend) && fr_authpkts[fr_authnext]) 
{
  		error = IWCOPYPTR((char *)&fr_auth[fr_authnext], 
data,
! 				  sizeof(frauth_t));
  		RWLOCK_EXIT(&ipf_auth);
  		if (error)
--- 354,358 ----
  	if ((fr_authnext != fr_authend) && fr_authpkts[fr_authnext]) 
{
  		error = IWCOPYPTR((char *)&fr_auth[fr_authnext], 
data,
! 				  sizeof(fr_info_t));
  		RWLOCK_EXIT(&ipf_auth);
  		if (error)


2. userauth.c should open IPAUTH_NAME instead of IPL_NAME for ioctl.
   Maybe on other platforms it should be IPL_NAME?

3. It seems that \"keep state\" does not work for auth rules. For 
example,
   the rule:

   auth in proto tcp from any to 127.0.0.1/32  port = telnet keep 
state

   makes every incoming telnet packet to go through the 
authentication 
   despite the \"keep state\" option.


4. \"auth out ...\" rule does not work :-(. It makes the system hang 
for a
   while and then reboot.

5. auth in IP Filter 3.4.15 does not work in FreeBSD 4.2-RELEASE. The
   authenticated packets nerver reach the destination even though the 
   variable fr_authstats.fas_queok increase as normal. I built the 
KLD
   module as follow:
	 # make freebsd4
	 # make install-bsd
	 # kldload ipf

Any hints?

Regards,

Song Bo Run




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010102065032.D02E91B5E12>