On Thu, Aug 15, 2013 at 9:39 AM, Stuart Henderson <st...@openbsd.org> wrote:
> On 2013/08/15 15:36, Henning Brauer wrote:
>> * Stuart Henderson <st...@openbsd.org> [2013-08-15 12:28]:
>> > On 2013/08/14 22:05, Philip Guenther wrote:
>> > I think that, as things stand, either the documentation or implementation
>> > are wrong:
>> >
>> > "The value unknown matches packets of forwarded connections."
>>
>> the uid/gid-of-socket code in pf hasn't been touched in ages if ever
>> after initial implementation, if it's wrong nobody noticed in many
>> many many years (not impossible).
>
> Probably nobody tried to use it... it was not obvious to me at
> first reading that the word "unknown" could be used as a literal,
> I thought it was just saying that for a forwarded connection we
> didn't know the username (which is obvious anyway..)..
See, my problem is that I go digging through the source :)
The "unknown" user is translated to UID_MAX, which is what
pf_socket_lookup uses when the look-up fails. Unfortunately,
pf_match_{uid,gid} don't distinguish the "forwarding" case from the
"firewall is the destination, but nothing is listening" case. I
believe that this is part of the problem, but there are likely some
other issues. The correct operation should be this:
1. "user = unknown" passes if and only if the firewall is neither the
source nor the destination. Pure forwarding case inbound or outbound.
2. "user = X" passes if and only if the firewall is the source with
the socket opened by a matching uid (outbound), or the firewall is the
destination with a listening socket owned by a matching uid (inbound).
Then do the same for "group" and flip the logic for !=.
