kern/59314: ipfw: rules with uid are not matched.

Andrey V. Shytov shytov at cmt.harvard.edu
Sat Nov 15 16:30:24 PST 2003 

>Number:         59314
>Category:       kern
>Synopsis:       ipfw: rules with uid are not matched.
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Nov 15 16:30:22 PST 2003
>Closed-Date:
>Last-Modified:
>Originator:     Andrey V. Shytov
>Release:        FreeBSD 5.1-CURRENT i386
>Organization:
none
>Environment:
System: FreeBSD main.wireless.home 5.1-CURRENT FreeBSD 5.1-CURRENT #25: Sat Nov 15 17:20:29 EST 2003 root at main.wireless.home:/usr/obj/usr/src/sys/CUSTOM i386



>Description:

	IPFW rules containing uid/gid are not matched.  

>How-To-Repeat:

	As a superuser, add a rule of the form:
 
 	   ipfw add 1 skipto 2 tcp from any to any dst-port 80 uid squid
	
        (you can change "squid" to any uid on your system, and a port to any 
         well-known port, so that you can test the rule by sending packets). 
        Switch to a user specified in the rule: 

           su squid

        Send some packets, e.g., 
           
           telnet somehost 80

        and examine the counters: 

           ipfw show | head 

        In my case, both byte and packet counters were zero:
	
        00001  0  0   skipto 2 tcp from any to any dst-port 80 uid squid
	
	Thus, the rule was not matched. 
 	
>Fix:

	I found out that check_uidgid function (ip_fw2.c:1296) 
	is called incorrectly. It is declared as: 
		
           static int
           check_uidgid(ipfw_insn_u32 *insn,
                 int proto, struct ifnet *oif,
                 struct in_addr dst_ip, u_int16_t dst_port, /* dst before src*/
                 struct in_addr src_ip, u_int16_t src_port)
 
	but called as (ip_fw2.c:1653):

               match = check_uidgid(
                           (ipfw_insn_u32 *)cmd,
                           proto, oif,
                           src_ip, src_port,               /* src before dst */
                           dst_ip, dst_port);	
	 	
        Thus, check_uidgid was called with wrong args. Because of that, 
	it was impossible to locate the corresponding pcb structure 
	in the hash table, and the rule was not matched. 
	The following fix solved the problem:

--- sys/netinet/ip_fw2.c.old	Fri Nov 14 16:48:56 2003
+++ sys/netinet/ip_fw2.c	Sat Nov 15 18:21:40 2003
@@ -1653,8 +1653,8 @@
 					match = check_uidgid(
 						    (ipfw_insn_u32 *)cmd,
 						    proto, oif,
-						    src_ip, src_port,
-						    dst_ip, dst_port);
+						    dst_ip, dst_port,
+						    src_ip, src_port);
 				break;
 
 			case O_RECV:

>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list