diff options
| author | cperciva <cperciva@FreeBSD.org> | 2005-07-01 09:51:10 +0000 |
|---|---|---|
| committer | cperciva <cperciva@FreeBSD.org> | 2005-07-01 09:51:10 +0000 |
| commit | 9fc0d88f30b7736e0b2672d838600e9d289f7dfd (patch) | |
| tree | 6b1fcfe37866243139256d0f116032af8f7f9299 /sbin | |
| parent | c6a8611901a1dc87a038a7c569c5c474c482413f (diff) | |
| download | FreeBSD-src-9fc0d88f30b7736e0b2672d838600e9d289f7dfd.zip FreeBSD-src-9fc0d88f30b7736e0b2672d838600e9d289f7dfd.tar.gz | |
Document some limitations of uid/gid rules.
Approved by: re (rwatson)
MFC after: 3 days
Diffstat (limited to 'sbin')
| -rw-r--r-- | sbin/ipfw/ipfw.8 | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8 index bc41aad..ae5a8d1 100644 --- a/sbin/ipfw/ipfw.8 +++ b/sbin/ipfw/ipfw.8 @@ -2486,3 +2486,14 @@ applied, making the order of rules in the rule sequence very important. .Pp Dummynet drops all packets with IPv6 link-local addresses. +.Pp +Rules using +.Cm uid +or +.Cm gid +may not behave as expected. In particular, incoming SYN packets may +have no uid or gid associated with them since they do not yet belong +to a TCP connection, and the uid/gid associated with a packet may not +be as expected if the associated process calls +.Xr setuid 2 +or similar system calls. |
