From owner-freebsd-ipfw@FreeBSD.ORG  Sun Nov 16 13:39:32 2003
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id DE42216A4CE
	for <freebsd-ipfw@freebsd.org>; Sun, 16 Nov 2003 13:39:32 -0800 (PST)
Received: from mail.evip.pl (mail.evip.com.pl [212.244.157.179])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2130143FE3
	for <freebsd-ipfw@freebsd.org>; Sun, 16 Nov 2003 13:39:31 -0800 (PST)
	(envelope-from w@evip.pl)
Received: from drwebc by mail.evip.pl with drweb-scanned (Exim 4.22)
	id 1ALUcA-000AsN-PI
	for freebsd-ipfw@freebsd.org; Sun, 16 Nov 2003 22:39:26 +0100
Received: from w by mail.evip.pl with local (Exim 4.22)
	id 1ALUcA-000AsH-Mc
	for freebsd-ipfw@freebsd.org; Sun, 16 Nov 2003 22:39:26 +0100
Date: Sun, 16 Nov 2003 22:39:26 +0100
From: Wiktor Niesiobedzki <bsd@w.evip.pl>
To: freebsd-ipfw@freebsd.org
Message-ID: <20031116213926.GE718@mail.evip.pl>
References: <20031113104717.GK231@mail.evip.pl>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20031113104717.GK231@mail.evip.pl>
User-Agent: Mutt/1.4i
Sender: Wiktor Niesiobedzki <w@evip.pl>
Subject: Re: Uid keyword matches only on loopack interface
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 16 Nov 2003 21:39:33 -0000

On Thu, Nov 13, 2003 at 11:47:17AM +0100, Wiktor Niesiobedzki wrote:
> Hi,
> 
> After setting my firewall I saw that only few packets match the uid keyword.
> >From my trival test came out that only loopack traffic can be matched. Is
> there some bug lying in here?
> 
> The simple rule:
> 00395      0       0 count log tcp from any to any uid root
> 
> Will match only:
> Nov 13 11:41:23 portal kernel: ipfw: 395 Count TCP 127.0.0.1:80
> 127.0.0.1:50780 out via lo0
> Nov 13 11:41:23 portal kernel: ipfw: 395 Count TCP 127.0.0.1:50780
> 127.0.0.1:80 in via lo0
> Nov 13 11:41:25 portal kernel: ipfw: 395 Count TCP 127.0.0.1:50780
> 127.0.0.1:80 out via lo0
> 
> That kind of traffic. Any traffic going by other interface is not counted.
> 
I may precise my problem.

As far as I checked, in check_uidgid() (line 1318 of ip_fw2.c) the
in_pcblookup_hash() returns NULL for almost every packet durring connection.
I ran quite a long time with a count rule, which showed that few thousand
packets matched the rule (during weekend, constant transfer about 10KB/s from
watched user). Packets had matched the rule adventitious.

Does anybody have any clues, how may i debug the problem further?

Cheers,

Wiktor Niesiobedzki