From shytov@cmt.harvard.edu  Sat Nov 15 16:26:46 2003
Return-Path: <shytov@cmt.harvard.edu>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 8737B16A4CF
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 15 Nov 2003 16:26:46 -0800 (PST)
Received: from cmtq0.harvard.edu (cmtq0.harvard.edu [140.247.122.90])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 7505D43FD7
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 15 Nov 2003 16:26:45 -0800 (PST)
	(envelope-from shytov@cmt.harvard.edu)
Received: from shytov.itp.ucsb.edu (cmtq5 [140.247.122.195])
	by cmtq0.harvard.edu (8.12.8/8.12.8) with ESMTP id hAG0QiVw014743
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 15 Nov 2003 19:26:44 -0500
Received: from main.wireless.home (localhost.home [127.0.0.1])
	by shytov.itp.ucsb.edu (8.12.10/8.12.10) with ESMTP id hAG0QV1G092211
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 15 Nov 2003 19:26:31 -0500 (EST)
	(envelope-from avs@main.wireless.home)
Received: (from avs@localhost)
	by main.wireless.home (8.12.10/8.12.10/Submit) id hAG0QVwY092210;
	Sat, 15 Nov 2003 19:26:31 -0500 (EST)
	(envelope-from avs)
Message-Id: <200311160026.hAG0QVwY092210@main.wireless.home>
Date: Sat, 15 Nov 2003 19:26:31 -0500 (EST)
From: "Andrey V. Shytov" <shytov@cmt.harvard.edu>
Reply-To: "Andrey V. Shytov" <shytov@cmt.harvard.edu>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: ipfw: rules with uid are not matched. 
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         59314
>Category:       kern
>Synopsis:       ipfw: rules with uid are not matched.
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    maxim
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Nov 15 16:30:22 PST 2003
>Closed-Date:    Thu Nov 20 02:29:50 PST 2003
>Last-Modified:  Thu Nov 20 02:29:50 PST 2003
>Originator:     Andrey V. Shytov
>Release:        FreeBSD 5.1-CURRENT i386
>Organization:
none
>Environment:
System: FreeBSD main.wireless.home 5.1-CURRENT FreeBSD 5.1-CURRENT #25: Sat Nov 15 17:20:29 EST 2003 root@main.wireless.home:/usr/obj/usr/src/sys/CUSTOM i386



>Description:

	IPFW rules containing uid/gid are not matched.  

>How-To-Repeat:

	As a superuser, add a rule of the form:
 
 	   ipfw add 1 skipto 2 tcp from any to any dst-port 80 uid squid
	
        (you can change "squid" to any uid on your system, and a port to any 
         well-known port, so that you can test the rule by sending packets). 
        Switch to a user specified in the rule: 

           su squid

        Send some packets, e.g., 
           
           telnet somehost 80

        and examine the counters: 

           ipfw show | head 

        In my case, both byte and packet counters were zero:
	
        00001  0  0   skipto 2 tcp from any to any dst-port 80 uid squid
	
	Thus, the rule was not matched. 
 	
>Fix:

	I found out that check_uidgid function (ip_fw2.c:1296) 
	is called incorrectly. It is declared as: 
		
           static int
           check_uidgid(ipfw_insn_u32 *insn,
                 int proto, struct ifnet *oif,
                 struct in_addr dst_ip, u_int16_t dst_port, /* dst before src*/
                 struct in_addr src_ip, u_int16_t src_port)
 
	but called as (ip_fw2.c:1653):

               match = check_uidgid(
                           (ipfw_insn_u32 *)cmd,
                           proto, oif,
                           src_ip, src_port,               /* src before dst */
                           dst_ip, dst_port);	
	 	
        Thus, check_uidgid was called with wrong args. Because of that, 
	it was impossible to locate the corresponding pcb structure 
	in the hash table, and the rule was not matched. 
	The following fix solved the problem:

--- sys/netinet/ip_fw2.c.old	Fri Nov 14 16:48:56 2003
+++ sys/netinet/ip_fw2.c	Sat Nov 15 18:21:40 2003
@@ -1653,8 +1653,8 @@
 					match = check_uidgid(
 						    (ipfw_insn_u32 *)cmd,
 						    proto, oif,
-						    src_ip, src_port,
-						    dst_ip, dst_port);
+						    dst_ip, dst_port,
+						    src_ip, src_port);
 				break;
 
 			case O_RECV:

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->luigi 
Responsible-Changed-By: kris 
Responsible-Changed-When: Sat Nov 15 17:08:44 PST 2003 
Responsible-Changed-Why:  
Assign to ipfw author 

http://www.freebsd.org/cgi/query-pr.cgi?pr=59314 
State-Changed-From-To: open->closed 
State-Changed-By: maxim 
State-Changed-When: Thu Nov 20 02:28:47 PST 2003 
State-Changed-Why:  
Fixed in rev. 1.45 sys/netinet/ip_fw2.c, thanks! 


Responsible-Changed-From-To: luigi->maxim 
Responsible-Changed-By: maxim 
Responsible-Changed-When: Thu Nov 20 02:28:47 PST 2003 
Responsible-Changed-Why:  
Fixed in rev. 1.45 sys/netinet/ip_fw2.c, thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=59314 
>Unformatted:
