User id and group id integration in NPF #45
Conversation
we can set our uids or gids as numbers,(1001), names(Kojo), or a variable that holds a number of name($my_id) pass all user 1000 pass all user Kojo pass all user $myuser(containing Kojo or 1001) same applies with group id. NB: keyword for gid is usergroup eg. pass all usergroup wheel(we cannot use group because group already exist)
… owner of that socket.
so we perform a comparison with the user on our rule and the user for the process involved, if it matches, proceed to block or pass. if it doesn't match, reveres from pass to block. if we pass on user Christos, it has to block on user Martin. iif we block on user Martin, it passes on user Christos. (pass->block)just rip of pass bit fields from return flag and insert block field (block->pass)same here. just rip block bit fields and insert pass field
usr.sbin/npf/npfctl/npf_parse.y
Outdated
| uid_item | ||
| : uid | ||
| { | ||
| if (($$ = calloc(1, sizeof(struct r_uid))) == NULL) |
There was a problem hiding this comment.
write a method that takes 3 arguments instead of repeating the code.
usr.sbin/npf/npfctl/npf_data.c
Outdated
| struct passwd *pw; | ||
|
|
||
| if ((pw = getpwnam(user)) == NULL) { | ||
| return 1; |
There was a problem hiding this comment.
Don't use 1 as an error, what is the difference between unknown and error?
usr.sbin/npf/npfctl/npf_data.c
Outdated
| npfctl_parse_user(const char *user) | ||
| { | ||
| uint32_t uid; | ||
| if (!(strcmp(user, "unknown"))) |
sys/net/npf/npf_ruleset.c
Outdated
| return -1; | ||
|
|
||
| matched = 0; | ||
| if ( rl->uid) |
usr.sbin/npf/npfctl/npf_parse.y
Outdated
|
|
||
| group_id | ||
| : /* empty */ { $$ = NULL; } | ||
| | USERGROUP gids { $$ = $2; } |
There was a problem hiding this comment.
Are you calling this "USERGROUP" instead of "GROUP" because group is already used?
|
Yes!
On 17 Mar 2025, at 1:26 PM, zoulasc ***@***.***> wrote:
@zoulasc commented on this pull request.
In usr.sbin/npf/npfctl/npf_parse.y <#45 (comment)>:
> + $$ = npfvar_expand_number(vp);
+ break;
+ case -1:
+ yyerror("undefined variable '%s'", $1);
+ break;
+ default:
+ yyerror("wrong variable '%s' type '%s' for user id",
+ $1, npfvar_type(type));
+ break;
+ }
+ }
+ ;
+
+group_id
+ : /* empty */ { $$ = NULL; }
+ | USERGROUP gids { $$ = $2; }
Are you calling this "USERGROUP" instead of "GROUP" because group is already used?
—
Reply to this email directly, view it on GitHub <#45 (review)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ANU23YNGAMNKLUPNQDFKEGD2U3ERZAVCNFSM6AAAAABZFEDJMGVHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMZDMOJQGQ4TINRVGM>.
You are receiving this because you authored the thread.
Emmanuel
|
functions implementing for setting the uid and gid structure. group keyword used gids whitespace fixed no parens on strcmp
| static int | ||
| npf_match(uint8_t op, uint32_t rid1, uint32_t rid2, uint32_t id_lp) | ||
| { | ||
| switch (op) { |
lib/libnpf/npf.c
Outdated
| } | ||
|
|
||
| int | ||
| npf_rule_setrugrp(nl_rule_t *rl, struct r_gid *gid) |
There was a problem hiding this comment.
why ugrp instead of group?
lib/libnpf/npf.c
Outdated
| int | ||
| npf_rule_setruser(nl_rule_t *rl, struct r_uid *uid) | ||
| { | ||
| int error = 0; |
There was a problem hiding this comment.
why use error? delete the var and return directly.
sys/net/npf/npf_ctl.c
Outdated
| const uint64_t *uid = nvlist_get_number_array(req, "r_user", &uitems); | ||
| KASSERT(uitems == 3); | ||
|
|
||
| r_uid.uid[0] = (uint32_t)uid[0]; |
There was a problem hiding this comment.
these should be (uid_t) not (uint32_t).
There was a problem hiding this comment.
but... you are using so much uint32_t and uid_t/gid_t interchangeably, so why don't you just call it id in the structure, make it uint32_t and then merge all the duplicated code. You can put in a comment why (both uid_t and gid_t and uint32_t and using uint32_t saves a lot of code duplication).
sys/net/npf/npf.h
Outdated
| @@ -59,6 +59,16 @@ typedef union { | |||
| uint32_t word32[4]; | |||
| } npf_addr_t; | |||
|
|
|||
| struct r_uid { | |||
There was a problem hiding this comment.
If you merge the two structs call it r_id { uint32_t id[2]; uint8_t op; };
Then you can merge most of the code.
sys/net/npf/npf_socket.c
Outdated
| int | ||
| npf_socket_lookup_uid(npf_cache_t *npc, int dir, uint32_t *uid) | ||
| { | ||
| struct inpcbtable *tb = NULL; |
There was a problem hiding this comment.
tb is NULL, why put it in a variable instead of passing NULL?
sys/net/npf/npf_socket.c
Outdated
|
|
||
| if (npf_iscached(npc, NPC_IP4)) { | ||
| so = npf_ip_socket(npc, tb, dir); | ||
|
|
|
|
||
| } else if (npf_iscached(npc, NPC_IP6)) { | ||
| so = npf_ip6_socket(npc, tb, dir); | ||
| } |
There was a problem hiding this comment.
else return -1; then you don't need to over-initialize so = NULL;
| } | ||
|
|
||
| int | ||
| npf_socket_lookup_gid(npf_cache_t *npc, int dir, uint32_t *gid) |
There was a problem hiding this comment.
this is duplicated for uid and gid merge them.
sys/net/npf/npf_ruleset.c
Outdated
| @@ -118,6 +118,9 @@ struct npf_rule { | |||
| LIST_ENTRY(npf_rule) r_aentry; | |||
| nvlist_t * r_info; | |||
| size_t r_info_len; | |||
|
|
|||
| rid_t *uid; | |||
There was a problem hiding this comment.
I don't know about storing pointers here and needing to allocate and free them seems to be a lot of work for very little benefit since the structures are small. Perhaps just store the structures and add NPF_OP_INVALID as the first element of the enum to mean 0 == unused?
There was a problem hiding this comment.
I agree. too small to be allocating for it not optimal.
| /* again, use a single rule getid function both uid and gids */ | ||
| static rid_t | ||
| npf_rule_getrid(const nvlist_t *req, const char *name) | ||
| { |
There was a problem hiding this comment.
Why all this machinery? get rid of npf_rule_getrid and put all of it in npf_rule_setrid and operate on the pointer directly.
| } | ||
|
|
||
| void | ||
| npf_rule_setuid(const nvlist_t *req, npf_rule_t *rl, const char *name) |
There was a problem hiding this comment.
and these two are overkill too. Just do it directly.
There was a problem hiding this comment.
I don't think It will be possible to do it directly here means I would have to call it in npf_ctl.c where it extracts the nvpair. I would have to pass rl->uid as argument to the function and it won't work because rl is an opaque type in npf_ruleset TU and hence cannot be dereferenced out of the ruleset TU
There was a problem hiding this comment.
Also, don't memcpy() structures -- just assign them.
| * if socket id doesn't match any of rule ids, reverse action | ||
| */ | ||
| int | ||
| npf_rule_match_user(npf_rule_t *rl, npf_cache_t *npc, int dir) |
There was a problem hiding this comment.
these two can be merged too, by passing the function npf_socket_lookup_uid/gid as a parameter.
| double fpnum; | ||
| npfvar_t * var; | ||
| addr_port_t addrport; | ||
| filt_opts_t filtopts; | ||
| opt_proto_t optproto; | ||
| rule_group_t rulegroup; | ||
| rid_t *uid; |
There was a problem hiding this comment.
those don't have to be pointers either. makes the code simpler.
we can set our uids or gids as numbers,(1001), names(Kojo), or a variable that holds a number of name($my_id)
pass all user 1000
pass all user Kojo
pass all user $myuser(containing Kojo or 1001)
same applies with group id.
NB: keyword for gid is usergroup
eg. pass all usergroup wheel(we cannot use group because group already exist)