From owner-freebsd-bugs@FreeBSD.ORG Sat Nov 15 16:30:24 2003 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A180016A4CE for ; Sat, 15 Nov 2003 16:30:24 -0800 (PST) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id DDDE243FEA for ; Sat, 15 Nov 2003 16:30:22 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id hAG0UMFY037039 for ; Sat, 15 Nov 2003 16:30:22 -0800 (PST) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id hAG0UMqj037038; Sat, 15 Nov 2003 16:30:22 -0800 (PST) (envelope-from gnats) Resent-Date: Sat, 15 Nov 2003 16:30:22 -0800 (PST) Resent-Message-Id: <200311160030.hAG0UMqj037038@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, "Andrey V. Shytov" Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8737B16A4CF for ; Sat, 15 Nov 2003 16:26:46 -0800 (PST) Received: from cmtq0.harvard.edu (cmtq0.harvard.edu [140.247.122.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7505D43FD7 for ; Sat, 15 Nov 2003 16:26:45 -0800 (PST) (envelope-from shytov@cmt.harvard.edu) Received: from shytov.itp.ucsb.edu (cmtq5 [140.247.122.195]) by cmtq0.harvard.edu (8.12.8/8.12.8) with ESMTP id hAG0QiVw014743 for ; Sat, 15 Nov 2003 19:26:44 -0500 Received: from main.wireless.home (localhost.home [127.0.0.1]) by shytov.itp.ucsb.edu (8.12.10/8.12.10) with ESMTP id hAG0QV1G092211 for ; Sat, 15 Nov 2003 19:26:31 -0500 (EST) (envelope-from avs@main.wireless.home) Received: (from avs@localhost) by main.wireless.home (8.12.10/8.12.10/Submit) id hAG0QVwY092210; Sat, 15 Nov 2003 19:26:31 -0500 (EST) (envelope-from avs) Message-Id: <200311160026.hAG0QVwY092210@main.wireless.home> Date: Sat, 15 Nov 2003 19:26:31 -0500 (EST) From: "Andrey V. Shytov" To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Subject: kern/59314: ipfw: rules with uid are not matched. X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Andrey V. Shytov" List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Nov 2003 00:30:24 -0000 >Number: 59314 >Category: kern >Synopsis: ipfw: rules with uid are not matched. >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Nov 15 16:30:22 PST 2003 >Closed-Date: >Last-Modified: >Originator: Andrey V. Shytov >Release: FreeBSD 5.1-CURRENT i386 >Organization: none >Environment: System: FreeBSD main.wireless.home 5.1-CURRENT FreeBSD 5.1-CURRENT #25: Sat Nov 15 17:20:29 EST 2003 root@main.wireless.home:/usr/obj/usr/src/sys/CUSTOM i386 >Description: IPFW rules containing uid/gid are not matched. >How-To-Repeat: As a superuser, add a rule of the form: ipfw add 1 skipto 2 tcp from any to any dst-port 80 uid squid (you can change "squid" to any uid on your system, and a port to any well-known port, so that you can test the rule by sending packets). Switch to a user specified in the rule: su squid Send some packets, e.g., telnet somehost 80 and examine the counters: ipfw show | head In my case, both byte and packet counters were zero: 00001 0 0 skipto 2 tcp from any to any dst-port 80 uid squid Thus, the rule was not matched. >Fix: I found out that check_uidgid function (ip_fw2.c:1296) is called incorrectly. It is declared as: static int check_uidgid(ipfw_insn_u32 *insn, int proto, struct ifnet *oif, struct in_addr dst_ip, u_int16_t dst_port, /* dst before src*/ struct in_addr src_ip, u_int16_t src_port) but called as (ip_fw2.c:1653): match = check_uidgid( (ipfw_insn_u32 *)cmd, proto, oif, src_ip, src_port, /* src before dst */ dst_ip, dst_port); Thus, check_uidgid was called with wrong args. Because of that, it was impossible to locate the corresponding pcb structure in the hash table, and the rule was not matched. The following fix solved the problem: --- sys/netinet/ip_fw2.c.old Fri Nov 14 16:48:56 2003 +++ sys/netinet/ip_fw2.c Sat Nov 15 18:21:40 2003 @@ -1653,8 +1653,8 @@ match = check_uidgid( (ipfw_insn_u32 *)cmd, proto, oif, - src_ip, src_port, - dst_ip, dst_port); + dst_ip, dst_port, + src_ip, src_port); break; case O_RECV: >Release-Note: >Audit-Trail: >Unformatted: