Source-Changes-D archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: CVS commit: src/sys/dist/pf/net
On Feb 19, 11:35pm, alnsn%yandex.ru@localhost (Alexander Nasonov) wrote:
-- Subject: Re: CVS commit: src/sys/dist/pf/net
| Christos Zoulas wrote:
| > On Feb 19, 10:55pm, alnsn%yandex.ru@localhost (Alexander Nasonov) wrote:
| > -- Subject: Re: CVS commit: src/sys/dist/pf/net
| >
| > | I think it's perfectly normal for an incoming packet to have no
| > | cred. For instance, if that packet is about to be accepted.
| >
| > Yes, that is what I was thinking.
| >
| > | pd->lookup.uid and pd->lookup.gid are set to UID_MAX and GID_MAX
| > | at the beginning of the function. They can be probably changed only
| > | if so_cred is set:
| > |
| > | if (so == NULL) return -1; if (so->so_cred != NULL) { pd->lookup.uid = kauth_cred_geteuid(so->so_cred); pd->lookup.gid = kauth_cred_getegid(so->so_cred); }
| >
| > Or should return -1 there too without printing anything...
| > I have not looked if -1 is handled differently.
| >
|
| What does return -1 do? Skip a packet? Reject?
|
| I think it reasonable to set uid to something that can't belong to
| a real user and pass control to pf matching engine. I don't know
| about pf internals to confirm whether this can work as expected.
|
| So, I'm running the new kernel with my change to pf_socket_lookup
| and without your change in ipc_socket2.c. I see randomly rejected
| packets in pflog but otherwise it runs fine.
|
| I'll try your change tomorrow.
I changed it to return -1 and did not change the uipc_socket2.c code to
add the credentials. Returning -1 means that there is no info to do the
matching there, so it is ok (looking at the lookup.done variable).
christos
Home |
Main Index |
Thread Index |
Old Index