From owner-freebsd-ipfw@FreeBSD.ORG Tue Aug 24 20:52:09 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1916116A4DB for ; Tue, 24 Aug 2004 20:52:09 +0000 (GMT) Received: from c00l3r.networx.ch (c00l3r.networx.ch [62.48.2.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 420AE43D55 for ; Tue, 24 Aug 2004 20:52:08 +0000 (GMT) (envelope-from andre@freebsd.org) Received: (qmail 35660 invoked from network); 24 Aug 2004 20:51:16 -0000 Received: from unknown (HELO freebsd.org) ([62.48.0.53]) (envelope-sender ) by c00l3r.networx.ch (qmail-ldap-1.03) with SMTP for ; 24 Aug 2004 20:51:16 -0000 Message-ID: <412BAA78.68218D09@freebsd.org> Date: Tue, 24 Aug 2004 22:52:08 +0200 From: Andre Oppermann X-Mailer: Mozilla 4.8 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: "Christian S.J. Peron" References: <412B8799.4020808@freebsd.org> <20040824201958.GA61912@freefall.freebsd.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: myself@rojer.pp.ru cc: ipfw@freebsd.org Subject: Re: Could you have a look at kern/63961 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Aug 2004 20:52:09 -0000 Christian, thanks for your quick response. Could you please take over the PR and get directly in touch with the Originator. -- Andre "Christian S.J. Peron" wrote: > > Hey Andre, > > I took a quick look at the PR and I dont think this is a bug. > If you want to match setup packets for TCP connections it > does work, but only if the connection has a PCB associated with it. > For instance, outgoing setup would have a PCB associated with it, > so ipfw could match on that: > > dev0# ipfw show > 00400 1 64 count tcp from any to any dst-port 4296 setup uid csjp > > It should be noted that all the "setup" keyword does is set the > O_TCPFLAGS opcode and set the operand to TH_SYN for SYN packets. > I dont think Incoming TCP connection requests would not have a > PCB associated with it, so there is no-way that ipfw can look > up the credential associated with it. > > However the UID negation problem looks like it could be a bug > either in how ipfw(8) reports the rule or how the kernel is > processing it. In either case I will look into it. > > -- > Christian S.J. Peron > csjp@FreeBSD.ORG > FreeBSD Committer