From owner-freebsd-bugs@FreeBSD.ORG Mon Mar 8 20:00:33 2004 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E215516A4CF for ; Mon, 8 Mar 2004 20:00:32 -0800 (PST) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id BB83443D48 for ; Mon, 8 Mar 2004 20:00:32 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) i2940Wbv050883 for ; Mon, 8 Mar 2004 20:00:32 -0800 (PST) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.10/8.12.10/Submit) id i2940WTi050882; Mon, 8 Mar 2004 20:00:32 -0800 (PST) (envelope-from gnats) Resent-Date: Mon, 8 Mar 2004 20:00:32 -0800 (PST) Resent-Message-Id: <200403090400.i2940WTi050882@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Rojer Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1DC8B16A4CE for ; Mon, 8 Mar 2004 19:50:50 -0800 (PST) Received: from www.freebsd.org (www.freebsd.org [216.136.204.117]) by mx1.FreeBSD.org (Postfix) with ESMTP id 171B043D1D for ; Mon, 8 Mar 2004 19:50:50 -0800 (PST) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.12.10/8.12.10) with ESMTP id i293on72052665 for ; Mon, 8 Mar 2004 19:50:49 -0800 (PST) (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.12.10/8.12.10/Submit) id i293onhe052664; Mon, 8 Mar 2004 19:50:49 -0800 (PST) (envelope-from nobody) Message-Id: <200403090350.i293onhe052664@www.freebsd.org> Date: Mon, 8 Mar 2004 19:50:49 -0800 (PST) From: Rojer To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-2.3 Subject: kern/63961: ipfw2 uid matching doesn't work correctly X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Mar 2004 04:00:33 -0000 >Number: 63961 >Category: kern >Synopsis: ipfw2 uid matching doesn't work correctly >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Mar 08 20:00:32 PST 2004 >Closed-Date: >Last-Modified: >Originator: Rojer >Release: 5.2.1 >Organization: >Environment: FreeBSD gw.hq.rojer.pp.ru 5.2.1-RELEASE-p1 FreeBSD 5.2.1-RELEASE-p1 #5: Sat Mar 6 03:33:29 MSK 2004 rojer@gw.hq.rojer.pp.ru:/usr/obj/usr/src/sys/RojerHQ i386 >Description: uid matching doesn't work with 'setup' rules e.g. the following rule pass tcp from any to me 49152-65535 uid ftp setup is syntactically correct but won't ever match while it would be nice if it did. seems like uid is not yet known for packets with tcpflags syn,!ack. but why is it so? the destination port is known and listening socket is already established so it should be possible to match uid of incoming 'setup' packets. facing the fact that i cannot filter by uid and setup conditions at the same time, i wrote the following rules: # allow syn-packets add pass tcp from any to me 49152-65535 setup # allow syn-ack packets originating from ftp add pass log tcp from me to any tcpflags syn,ack uid ftp # deny all other syn-ack packets add drop log tcp from me 49152-65535 to any tcpflags syn,ack the idea was to allow only the ftp server to listen at high ports. to my surprise, no packets matched the second rule and passive ftp data connections wouldn't be established. to me this is clearly a bug which is why i'm submitting it. at last, negaion o uid condition doesn't seems to work trying to add pass log tcp from me to any uid \!ftp simply gives an error saying that "uid "!ftp" nonexistent" and writing it like this add pass log tcp from me to any not uid ftp gives exactly the opposite: 01000 allow log tcp from me to any uid ftp >How-To-Repeat: >Fix: >Release-Note: >Audit-Trail: >Unformatted: