Date: Sun, 16 Nov 2003 22:39:26 +0100 From: Wiktor Niesiobedzki <bsd@w.evip.pl> To: freebsd-ipfw@freebsd.org Subject: Re: Uid keyword matches only on loopack interface Message-ID: <20031116213926.GE718@mail.evip.pl> In-Reply-To: <20031113104717.GK231@mail.evip.pl> References: <20031113104717.GK231@mail.evip.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Nov 13, 2003 at 11:47:17AM +0100, Wiktor Niesiobedzki wrote: > Hi, > > After setting my firewall I saw that only few packets match the uid keyword. > >From my trival test came out that only loopack traffic can be matched. Is > there some bug lying in here? > > The simple rule: > 00395 0 0 count log tcp from any to any uid root > > Will match only: > Nov 13 11:41:23 portal kernel: ipfw: 395 Count TCP 127.0.0.1:80 > 127.0.0.1:50780 out via lo0 > Nov 13 11:41:23 portal kernel: ipfw: 395 Count TCP 127.0.0.1:50780 > 127.0.0.1:80 in via lo0 > Nov 13 11:41:25 portal kernel: ipfw: 395 Count TCP 127.0.0.1:50780 > 127.0.0.1:80 out via lo0 > > That kind of traffic. Any traffic going by other interface is not counted. > I may precise my problem. As far as I checked, in check_uidgid() (line 1318 of ip_fw2.c) the in_pcblookup_hash() returns NULL for almost every packet durring connection. I ran quite a long time with a count rule, which showed that few thousand packets matched the rule (during weekend, constant transfer about 10KB/s from watched user). Packets had matched the rule adventitious. Does anybody have any clues, how may i debug the problem further? Cheers, Wiktor Niesiobedzki
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031116213926.GE718>