Source-Changes-D archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: CVS commit: src/sys/dist/pf/net

Christos Zoulas wrote:
> On Feb 19, 10:55pm, (Alexander Nasonov) wrote:
> -- Subject: Re: CVS commit: src/sys/dist/pf/net
> | I think it's perfectly normal for an incoming packet to have no
> | cred. For instance, if that packet is about to be accepted.
> Yes, that is what I was thinking.
> | pd->lookup.uid and pd->lookup.gid are set to UID_MAX and GID_MAX
> | at the beginning of the function. They can be probably changed only
> | if so_cred is set:
> | 
> |         if (so == NULL)                                                                                                                                  return -1;                                                                                                                       if (so->so_cred != NULL) {                                                                                                                       pd->lookup.uid = kauth_cred_geteuid(so->so_cred);                                                                                        pd->lookup.gid = kauth_cred_getegid(so->so_cred);                                                                                }         
> Or should return -1 there too without printing anything...
> I have not looked if -1 is handled differently.

What does return -1 do? Skip a packet? Reject?

I think it reasonable to set uid to something that can't belong to
a real user and pass control to pf matching engine. I don't know
about pf internals to confirm whether this can work as expected.

So, I'm running the new kernel with my change to pf_socket_lookup
and without your change in ipc_socket2.c. I see randomly rejected
packets in pflog but otherwise it runs fine.

I'll try your change tomorrow.


Home | Main Index | Thread Index | Old Index