Date: Wed, 28 Feb 2007 08:50:40 +0000 (UTC) From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> To: freebsd-net@freebsd.org Cc: Robert Watson <rwatson@freebsd.org> Subject: Re: LOR with divert sockets Message-ID: <20070228084928.Y64827@maildrop.int.zabbadoz.net> In-Reply-To: <45E53F7D.4030703@netfence.it> References: <45E21468.4060200@netfence.it> <20070227222316.R60173@fledge.watson.org> <45E53F7D.4030703@netfence.it>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 28 Feb 2007, Andrea Venturoli wrote:
> Robert Watson wrote:
>
>> What versions of ip_fw2.c and ip_divert.c were in use?
>
> From i386/6.2-RELEASE-p1, i.e.:
> src/sys/netinet/ip_fw2.c,v 1.106.2.21 2006/10/10 18:39:38 bz
> src/sys/netinet/ip_divert.c,v 1.113.2.2 2006/05/16 07:27:48 ps
>
>
>
>> Also, could you let me know if you use any uid/gid rules in your IPFW rule
>> set?
>
> Yep.
>
> 04000 allow tcp from me to any uid squid out via xl0 setup keep-state
>
> I use this to allow squid to retrieve everything according to its own
> security settings.
I am unsure but this should still be true for at least RELENG_6. I
can only remember that there was work in progress but cannot remmember
things were patched and where or not...
%man ipfw | col -b | grep -5 'Rules which use uid' | tail -7 | head -5
Rules which use uid, gid or jail based matching should be used only if
debug.mpsafenet=0 to avoid possible deadlocks due to layering violations
in its implementation.
--
Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070228084928.Y64827>