On Feb 19, 11:35pm, al...@yandex.ru (Alexander Nasonov) wrote:
-- Subject: Re: CVS commit: src/sys/dist/pf/net
| Christos Zoulas wrote:
| > On Feb 19, 10:55pm, al...@yandex.ru (Alexander Nasonov) wrote:
| > -- Subject: Re: CVS commit: src/sys/dist/pf/net
| >
| > | I think it's perfectly normal for an incoming packet to have no
| > | cred. For instance, if that packet is about to be accepted.
| >
| > Yes, that is what I was thinking.
| >
| > | pd->lookup.uid and pd->lookup.gid are set to UID_MAX and GID_MAX
| > | at the beginning of the function. They can be probably changed only
| > | if so_cred is set:
| > |
| > | if (so == NULL)
return -1;
if (so->so_cred != NULL) {
pd->lookup.uid =
kauth_cred_geteuid(so->so_cred);
pd->lookup.gid =
kauth_cred_getegid(so->so_cred);
}
| >
| > Or should return -1 there too without printing anything...
| > I have not looked if -1 is handled differently.
| >
|
| What does return -1 do? Skip a packet? Reject?
|
| I think it reasonable to set uid to something that can't belong to
| a real user and pass control to pf matching engine. I don't know
| about pf internals to confirm whether this can work as expected.
|
| So, I'm running the new kernel with my change to pf_socket_lookup
| and without your change in ipc_socket2.c. I see randomly rejected
| packets in pflog but otherwise it runs fine.
|
| I'll try your change tomorrow.
I changed it to return -1 and did not change the uipc_socket2.c code to
add the credentials. Returning -1 means that there is no info to do the
matching there, so it is ok (looking at the lookup.done variable).
christos
