Greets. > So the second process seems to be removing the first one's rules. But it > doesn't kill the process. And I suspect the first process' state entries > are not removed, either. Just the rules are gone, which means _further_ > connections from userA are blocked. Those that he established before > userB logs in (assuming keep state) continue to work, right? > > Can you try the patch below, and repeat the previous test? No. Apparently I cannot. :(
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= FW# cd /usr/src/usr.sbin/authpf/ FW# make clean rm -f a.out [Ee]rrs mklog core *.core authpf authpf.o parse.o pfctl_parser.o pf_print_state.o pfctl_altq.o pfctl_radix.o authpf.ln pfctl_parser.ln pf_print_state.ln pfctl_altq.ln pfctl_radix.ln y.tab.h FW# patch authpf.c </tmp/work/patch-authpf.txt Hmm... Looks like a unified diff to me... The text leading up to this was: -------------------------- |Index: authpf.c |=================================================================== |RCS file: /cvs/src/usr.sbin/authpf/authpf.c,v |retrieving revision 1.64 |diff -u -r1.64 authpf.c |--- authpf.c3 Jul 2003 21:09:13 -00001.64 |+++ authpf.c7 Jul 2003 18:40:39 -0000 -------------------------- Patching file authpf.c using Plan A... Hunk #1 succeeded at 546. Hunk #2 succeeded at 699. done FW# ls -al total 265 drwxr-xr-x 2 root wheel 512 Jul 7 19:49 . drwxr-xr-x 102 root wheel 2048 Jul 4 21:32 .. -rw-r--r-- 1 root wheel 382 Jan 3 2003 Makefile -rw-r--r-- 1 root wheel 14432 Jun 23 09:41 authpf.8 -rw-r--r-- 1 root wheel 21595 Jul 7 19:49 authpf.c -rw-r--r-- 1 root wheel 21554 Jul 3 17:09 authpf.c.orig -rw-r--r-- 1 root wheel 1868 Jun 3 16:38 pathnames.h -rw-r--r-- 1 root wheel 189056 Jul 7 18:58 y.tab.c FW# md5 authpf.c MD5 (authpf.c) = 2355ccd7e5299dbe3169034ff4a79c57 FW# make cc -O2 -pipe -I/usr/src/usr.sbin/authpf/../../sbin/pfctl -Wall -Werror -mcpu=v8 -c authpf.c yacc -d /usr/src/usr.sbin/authpf/../../sbin/pfctl/parse.y cc -O2 -pipe -I/usr/src/usr.sbin/authpf/../../sbin/pfctl -Wall -Werror -mcpu=v8 -c -o parse.o y.tab.c /usr/src/usr.sbin/authpf/../../sbin/pfctl/parse.y: In function `filter_consistent': /usr/src/usr.sbin/authpf/../../sbin/pfctl/parse.y:3051: `PF_STATE_SYNPROXY' undeclared (first use in this function) /usr/src/usr.sbin/authpf/../../sbin/pfctl/parse.y:3051: (Each undeclared identifier is reported only once /usr/src/usr.sbin/authpf/../../sbin/pfctl/parse.y:3051: for each function it appears in.) /usr/src/usr.sbin/authpf/../../sbin/pfctl/parse.y:3079: structure has no member named `tagname' /usr/src/usr.sbin/authpf/../../sbin/pfctl/parse.y:3079: structure has no member named `match_tagname' /usr/src/usr.sbin/authpf/../../sbin/pfctl/parse.y: In function `yyparse': /usr/src/usr.sbin/authpf/../../sbin/pfctl/parse.y:674: `PFRULE_REASSEMBLE_TCP' undeclared (first use in this function) /usr/src/usr.sbin/authpf/../../sbin/pfctl/parse.y:1317: structure has no member named `tagname' /usr/src/usr.sbin/authpf/../../sbin/pfctl/parse.y:1318: `PF_TAG_NAME_SIZE' undeclared (first use in this function) /usr/src/usr.sbin/authpf/../../sbin/pfctl/parse.y:1324: structure has no member named `match_tagname' /usr/src/usr.sbin/authpf/../../sbin/pfctl/parse.y:1330: structure has no member named `match_tag_not' /usr/src/usr.sbin/authpf/../../sbin/pfctl/parse.y:2293: `PF_STATE_SYNPROXY' undeclared (first use in this function) /usr/src/usr.sbin/authpf/../../sbin/pfctl/parse.y:2552: structure has no member named `natpass' /usr/src/usr.sbin/authpf/../../sbin/pfctl/parse.y:2565: structure has no member named `tagname' /usr/src/usr.sbin/authpf/../../sbin/pfctl/parse.y:2703: structure has no member named `natpass' /usr/src/usr.sbin/authpf/../../sbin/pfctl/parse.y:2723: structure has no member named `tagname' *** Error code 1 Stop in /usr/src/usr.sbin/authpf. FW# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= For giggles, I commented out my mk.conf to exclude -pipe and -mcpu=v8. Not surprisingly, it had no effect. Sorry I don't have a more positive post. :) Thanks for your input. Ed Powers -- _______________________________________________ Get your free Verizonmail at www.verizonmail.com
