Source-Changes-D archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: CVS commit: src/sys/dist/pf/net
Christos Zoulas wrote:
> On Feb 19, 10:55pm, alnsn%yandex.ru@localhost (Alexander Nasonov) wrote:
> -- Subject: Re: CVS commit: src/sys/dist/pf/net
>
> | I think it's perfectly normal for an incoming packet to have no
> | cred. For instance, if that packet is about to be accepted.
>
> Yes, that is what I was thinking.
>
> | pd->lookup.uid and pd->lookup.gid are set to UID_MAX and GID_MAX
> | at the beginning of the function. They can be probably changed only
> | if so_cred is set:
> |
> | if (so == NULL) return -1; if (so->so_cred != NULL) { pd->lookup.uid = kauth_cred_geteuid(so->so_cred); pd->lookup.gid = kauth_cred_getegid(so->so_cred); }
>
> Or should return -1 there too without printing anything...
> I have not looked if -1 is handled differently.
>
What does return -1 do? Skip a packet? Reject?
I think it reasonable to set uid to something that can't belong to
a real user and pass control to pf matching engine. I don't know
about pf internals to confirm whether this can work as expected.
So, I'm running the new kernel with my change to pf_socket_lookup
and without your change in ipc_socket2.c. I see randomly rejected
packets in pflog but otherwise it runs fine.
I'll try your change tomorrow.
--
Alex
Home |
Main Index |
Thread Index |
Old Index