From owner-freebsd-ipfw@FreeBSD.ORG  Tue Aug 24 20:52:09 2004
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 1916116A4DB
	for <ipfw@freebsd.org>; Tue, 24 Aug 2004 20:52:09 +0000 (GMT)
Received: from c00l3r.networx.ch (c00l3r.networx.ch [62.48.2.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 420AE43D55
	for <ipfw@freebsd.org>; Tue, 24 Aug 2004 20:52:08 +0000 (GMT)
	(envelope-from andre@freebsd.org)
Received: (qmail 35660 invoked from network); 24 Aug 2004 20:51:16 -0000
Received: from unknown (HELO freebsd.org) ([62.48.0.53])
          (envelope-sender <andre@freebsd.org>)
          by c00l3r.networx.ch (qmail-ldap-1.03) with SMTP
          for <csjp@freebsd.org>; 24 Aug 2004 20:51:16 -0000
Message-ID: <412BAA78.68218D09@freebsd.org>
Date: Tue, 24 Aug 2004 22:52:08 +0200
From: Andre Oppermann <andre@freebsd.org>
X-Mailer: Mozilla 4.8 [en] (Windows NT 5.0; U)
X-Accept-Language: en
MIME-Version: 1.0
To: "Christian S.J. Peron" <csjp@freebsd.org>
References: <412B8799.4020808@freebsd.org>
	<20040824201958.GA61912@freefall.freebsd.org>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
cc: myself@rojer.pp.ru
cc: ipfw@freebsd.org
Subject: Re: Could you have a look at kern/63961
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Aug 2004 20:52:09 -0000

Christian,

thanks for your quick response.  Could you please take over the PR
and get directly in touch with the Originator.

-- 
Andre


"Christian S.J. Peron" wrote:
> 
> Hey Andre,
> 
> I took a quick look at the PR and I dont think this is a bug.
> If you want to match setup packets for TCP connections it
> does work, but only if the connection has a PCB associated with it.
> For instance, outgoing setup would have a PCB associated with it,
> so ipfw could match on that:
> 
> dev0# ipfw show
> 00400     1      64 count tcp from any to any dst-port 4296 setup uid csjp
> 
> It should be noted that all the "setup" keyword does is set the
> O_TCPFLAGS opcode and set the operand to TH_SYN for SYN packets.
> I dont think Incoming TCP connection requests would not have a
> PCB associated with it, so there is no-way that ipfw can look
> up the credential associated with it.
> 
> However the UID negation problem looks like it could be a bug
> either in how ipfw(8) reports the rule or how the kernel is
> processing it. In either case I will look into it.
> 
> --
> Christian S.J. Peron
> csjp@FreeBSD.ORG
> FreeBSD Committer