Christos Zoulas wrote: > On Feb 19, 10:55pm, al...@yandex.ru (Alexander Nasonov) wrote: > -- Subject: Re: CVS commit: src/sys/dist/pf/net > > | I think it's perfectly normal for an incoming packet to have no > | cred. For instance, if that packet is about to be accepted. > > Yes, that is what I was thinking. > > | pd->lookup.uid and pd->lookup.gid are set to UID_MAX and GID_MAX > | at the beginning of the function. They can be probably changed only > | if so_cred is set: > | > | if (so == NULL) > > return -1; > if (so->so_cred != NULL) { > > pd->lookup.uid = > kauth_cred_geteuid(so->so_cred); > pd->lookup.gid = > kauth_cred_getegid(so->so_cred); > } > > Or should return -1 there too without printing anything... > I have not looked if -1 is handled differently. >
What does return -1 do? Skip a packet? Reject? I think it reasonable to set uid to something that can't belong to a real user and pass control to pf matching engine. I don't know about pf internals to confirm whether this can work as expected. So, I'm running the new kernel with my change to pf_socket_lookup and without your change in ipc_socket2.c. I see randomly rejected packets in pflog but otherwise it runs fine. I'll try your change tomorrow. -- Alex