From nobody@FreeBSD.org  Mon Mar  8 19:50:50 2004
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 1DC8B16A4CE
	for <freebsd-gnats-submit@FreeBSD.org>; Mon,  8 Mar 2004 19:50:50 -0800 (PST)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 171B043D1D
	for <freebsd-gnats-submit@FreeBSD.org>; Mon,  8 Mar 2004 19:50:50 -0800 (PST)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.12.10/8.12.10) with ESMTP id i293on72052665
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 8 Mar 2004 19:50:49 -0800 (PST)
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.12.10/8.12.10/Submit) id i293onhe052664;
	Mon, 8 Mar 2004 19:50:49 -0800 (PST)
	(envelope-from nobody)
Message-Id: <200403090350.i293onhe052664@www.freebsd.org>
Date: Mon, 8 Mar 2004 19:50:49 -0800 (PST)
From: Rojer <myself@rojer.pp.ru>
To: freebsd-gnats-submit@FreeBSD.org
Subject: ipfw2 uid matching doesn't work correctly
X-Send-Pr-Version: www-2.3

>Number:         63961
>Category:       kern
>Synopsis:       ipfw2 uid matching doesn't work correctly
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    csjp
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Mar 08 20:00:32 PST 2004
>Closed-Date:    Mon Nov 08 16:00:36 GMT 2004
>Last-Modified:  Mon Nov 08 16:00:36 GMT 2004
>Originator:     Rojer
>Release:        5.2.1
>Organization:
>Environment:
FreeBSD gw.hq.rojer.pp.ru 5.2.1-RELEASE-p1 FreeBSD 5.2.1-RELEASE-p1 #5: Sat Mar  6 03:33:29 MSK 2004     rojer@gw.hq.rojer.pp.ru:/usr/obj/usr/src/sys/RojerHQ  i386
>Description:
uid matching doesn't work with 'setup' rules
e.g. the following rule

pass tcp from any to me 49152-65535 uid ftp setup

is syntactically correct but won't ever match while it would be nice if it did. seems like uid is not yet known for packets with tcpflags syn,!ack. but why is it so? the destination port is known and listening socket is already established so it should be possible to match uid of incoming 'setup' packets.

facing the fact that i cannot filter by uid and setup conditions at the same time, i wrote the following rules:

# allow syn-packets
add pass tcp from any to me 49152-65535 setup
# allow syn-ack packets originating from ftp
add pass log tcp from me to any tcpflags syn,ack uid ftp
# deny all other syn-ack packets
add drop log tcp from me 49152-65535 to any tcpflags syn,ack

the idea was to allow only the ftp server to listen at high ports.
to my surprise, no packets matched the second rule and passive ftp data connections wouldn't be established. to me this is clearly a bug which is why i'm submitting it.

at last, negaion o uid condition doesn't seems to work
trying to
 add pass log tcp from me to any uid \!ftp
simply gives an error saying that "uid "!ftp" nonexistent"
and writing it like this
 add pass log tcp from me to any not uid ftp
gives exactly the opposite:
01000 allow log tcp from me to any uid ftp

>How-To-Repeat:
      
>Fix:

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw 
Responsible-Changed-By: kris 
Responsible-Changed-When: Mon Mar 15 16:33:36 PST 2004 
Responsible-Changed-Why:  
Assign to ipfw mailing list 

http://www.freebsd.org/cgi/query-pr.cgi?pr=63961 
Responsible-Changed-From-To: freebsd-ipfw->ipfw 
Responsible-Changed-By: simon 
Responsible-Changed-When: Mon Mar 22 11:41:11 PST 2004 
Responsible-Changed-Why:  
Reassign to ipfw to avoid duplicate reminder mail. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=63961 
Responsible-Changed-From-To: ipfw->csjp 
Responsible-Changed-By: csjp 
Responsible-Changed-When: Tue Aug 24 20:57:29 GMT 2004 
Responsible-Changed-Why:  
I think this might not be a bug. 

If you want to match setup packets for TCP connections it 
does work, but only if the connection has a PCB associated with it. 
For instance, outgoing setup would have a PCB associated with it, 
so ipfw could match on that: 

dev0# ipfw show 
00400     1      64 count tcp from any to any dst-port 4296 setup uid csjp 

It should be noted that all the "setup" keyword does is set the 
O_TCPFLAGS opcode and set the operand to TH_SYN for SYN packets. 
I dont think Incoming TCP connection requests would not have a 
PCB associated with it, so there is no-way that ipfw can look 
up the credential associated with it. 

However the UID negation problem looks like it could be a bug 
either in how ipfw(8) reports the rule or how the kernel is 
processing it. In either case I will look into it. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=63961 
State-Changed-From-To: open->analyzed 
State-Changed-By: csjp 
State-Changed-When: Sat Sep 11 19:57:36 GMT 2004 
State-Changed-Why:  
I have fixed the "not" and "or" operators for uid, gid 
and jail based constraints. I have committed it to head 
and will MFC it provided no issues arise from it in a 
week or so. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=63961 
State-Changed-From-To: analyzed->closed 
State-Changed-By: csjp 
State-Changed-When: Mon Nov 8 15:59:51 GMT 2004 
State-Changed-Why:  
This problem was fixed in one of my previous commits to ipfw(8) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=63961 
>Unformatted:
