[pf4freebsd] Re: problem with 'user'
Pyun YongHyeon
yongari at kt-is.co.kr
Wed Sep 15 21:00:05 PDT 2004
On Fri, Jan 30, 2004 at 01:34:56PM +0100, jb wrote:
> Hi,
>
> I'm playing with pf on a FreeBSD 5.2 fresh install on i386 and I'm
> experimenting some problems with the following simplified pf.conf on
> my FreeBSD box, it works as I expect on an OpenBSD 3.4 box - plan is to
> allow local user 'jibe' to do dns queries.
>
> My DNS is 10.0.0.2, i my box is 10.0.0.8, my nic is sis0 (more config at
> the bottom of this message).
>
> block in log all
> block out log all
> pass in on lo0 all
> pass out on lo0 all
>
> pass out log proto udp from any to any port domain user jibe keep state
>
> from the command line, "dig openbsd.org" (say), results in the following
> in pflog0 (output of pftcpdump -n -e -ttt -i pflog0 )
>
> 000000 rule 1/0(match): block out on sis0: 10.0.0.8.49240 > 10.0.0.2.53: 13228+[|domain]
> 000402 rule 1/0(match): block out on sis0: 10.0.0.8.49242 > 10.0.0.2.53: 13228+[|domain]
>
> now, changing 'jibe' for 'unknown' in the configuration file:
>
> block in log all
> block out log all
> pass in on lo0 all
> pass out on lo0 all
>
> pass out log proto udp from any to any port domain user unknown keep state
>
> dig works and pftcpdump output is:
>
> 100. 942731 rule 4/0(match): pass out on sis0: 10.0.0.8.49244 > 10.0.0.2.53: 53585+[|domain]
>
> The difference between the OpenBSD and FreeBSD pf results make me thing this
> is a misbehavior, but it's not like I'm clued about networking and firewalls.
> Can others reproduce this or it is the result of my own confusion ?
>
> thanks for your work, it is really nice to be able to use pf on FreeBSD.
> thsnks in advance for your help.
> jb
>
Thank you for your report.
Can you try this patch? (Copy attached file to
/usr/ports/security/pf/files directory and build.)
Working/failure reports are very appreciated.
--- pf/pf.c.orig Tue Jan 6 15:05:35 2004
+++ pf/pf.c Sat Jan 31 14:33:47 2004
@@ -2153,11 +2153,11 @@
struct pf_addr *saddr, *daddr;
u_int16_t sport, dport;
#if defined(__FreeBSD__)
- struct inpcb *inp;
+ struct inpcbinfo *pi;
#else
struct inpcbtable *tb;
- struct inpcb *inp;
#endif
+ struct inpcb *inp;
*uid = UID_MAX;
*gid = GID_MAX;
@@ -2165,14 +2165,18 @@
case IPPROTO_TCP:
sport = pd->hdr.tcp->th_sport;
dport = pd->hdr.tcp->th_dport;
-#if !defined(__FreeBSD__)
+#if defined(__FreeBSD__)
+ pi = &tcbinfo;
+#else
tb = &tcbtable;
#endif
break;
case IPPROTO_UDP:
sport = pd->hdr.udp->uh_sport;
dport = pd->hdr.udp->uh_dport;
-#if !defined(__FreeBSD__)
+#if defined(__FreeBSD__)
+ pi = &udbinfo;
+#else
tb = &udbtable;
#endif
break;
@@ -2195,16 +2199,16 @@
case AF_INET:
#if defined(__FreeBSD__)
#if (__FreeBSD_version >= 500043)
- INP_INFO_RLOCK(&tcbinfo);
+ INP_INFO_RLOCK(pi); /* XXX LOR */
#endif
- inp = in_pcblookup_hash(&tcbinfo, saddr->v4, sport, daddr->v4,
+ inp = in_pcblookup_hash(pi, saddr->v4, sport, daddr->v4,
dport, 0, NULL);
if (inp == NULL) {
- inp = in_pcblookup_hash(&tcbinfo, saddr->v4, sport,
+ inp = in_pcblookup_hash(pi, saddr->v4, sport,
daddr->v4, dport, INPLOOKUP_WILDCARD, NULL);
if(inp == NULL) {
#if (__FreeBSD_version >= 500043)
- INP_INFO_RUNLOCK(&tcbinfo);
+ INP_INFO_RUNLOCK(pi);
#endif
return (0);
}
@@ -2223,16 +2227,16 @@
case AF_INET6:
#if defined(__FreeBSD__)
#if (__FreeBSD_version >= 500043)
- INP_INFO_RLOCK(&tcbinfo);
+ INP_INFO_RLOCK(pi);
#endif
- inp = in6_pcblookup_hash(&tcbinfo, &saddr->v6, sport,
+ inp = in6_pcblookup_hash(pi, &saddr->v6, sport,
&daddr->v6, dport, 0, NULL);
if (inp == NULL) {
- inp = in6_pcblookup_hash(&tcbinfo, &saddr->v6, sport,
+ inp = in6_pcblookup_hash(pi, &saddr->v6, sport,
&daddr->v6, dport, INPLOOKUP_WILDCARD, NULL);
if (inp == NULL) {
#if (__FreeBSD_version >= 500043)
- INP_INFO_RUNLOCK(&tcbinfo);
+ INP_INFO_RUNLOCK(pi);
#endif
return (0);
}
@@ -2261,7 +2265,7 @@
*gid = inp->inp_socket->so_cred->cr_groups[0];
#if (__FreeBSD_version >= 500043)
INP_UNLOCK(inp);
- INP_INFO_RUNLOCK(&tcbinfo);
+ INP_INFO_RUNLOCK(pi);
#endif
#else
*uid = inp->inp_socket->so_euid;
--
Pyun YongHyeon <http://www.kr.freebsd.org/~yongari>
More information about the freebsd-pf
mailing list