Christos Zoulas wrote:
> On Feb 19, 10:55pm, al...@yandex.ru (Alexander Nasonov) wrote:
> -- Subject: Re: CVS commit: src/sys/dist/pf/net
>
> | I think it's perfectly normal for an incoming packet to have no
> | cred. For instance, if that packet is about to be accepted.
>
> Yes, that is what I was thinking.
>
> | pd->lookup.uid and pd->lookup.gid are set to UID_MAX and GID_MAX
> | at the beginning of the function. They can be probably changed only
> | if so_cred is set:
> |
> | if (so == NULL)
>
> return -1;
> if (so->so_cred != NULL) {
>
> pd->lookup.uid =
> kauth_cred_geteuid(so->so_cred);
> pd->lookup.gid =
> kauth_cred_getegid(so->so_cred);
> }
>
> Or should return -1 there too without printing anything...
> I have not looked if -1 is handled differently.
>
What does return -1 do? Skip a packet? Reject?
I think it reasonable to set uid to something that can't belong to
a real user and pass control to pf matching engine. I don't know
about pf internals to confirm whether this can work as expected.
So, I'm running the new kernel with my change to pf_socket_lookup
and without your change in ipc_socket2.c. I see randomly rejected
packets in pflog but otherwise it runs fine.
I'll try your change tomorrow.
--
Alex
