Explain that user/group 'unknown' can only be used with operators = and !=

and refuse other constructs in the parser. Also note that 'user >= 0' does
not match forwarded packets with unknown user ID.

2 files changed, 32 insertions, 5 deletions

diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index 85d9fd077d6..207f30f179a 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.65 2002/05/12 00:54:56 dhartmei Exp $	*/
+/*	$OpenBSD: parse.y,v 1.66 2002/05/12 15:02:52 dhartmei Exp $	*/
 
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
@@ -671,6 +671,10 @@ uid_item	: uid				{
 			$$->next = NULL;
 		}
 		| PORTUNARY uid			{
+			if ($2 == UID_MAX && $1 != PF_OP_EQ && $1 != PF_OP_NE) {
+				yyerror("user unknown requires operator = or !=");
+				YYERROR;
+			}
 			$$ = malloc(sizeof(struct node_uid));
 			if ($$ == NULL)
 				err(1, "uid_item: malloc");
@@ -680,6 +684,10 @@ uid_item	: uid				{
 			$$->next = NULL;
 		}
 		| uid PORTBINARY uid		{
+			if ($1 == UID_MAX || $3 == UID_MAX) {
+				yyerror("user unknown requires operator = or !=");
+				YYERROR;
+			}
 			$$ = malloc(sizeof(struct node_uid));
 			if ($$ == NULL)
 				err(1, "uid_item: malloc");
@@ -731,6 +739,10 @@ gid_item	: gid				{
 			$$->next = NULL;
 		}
 		| PORTUNARY gid			{
+			if ($2 == GID_MAX && $1 != PF_OP_EQ && $1 != PF_OP_NE) {
+				yyerror("group unknown requires operator = or !=");
+				YYERROR;
+			}
 			$$ = malloc(sizeof(struct node_gid));
 			if ($$ == NULL)
 				err(1, "gid_item: malloc");
@@ -740,6 +752,10 @@ gid_item	: gid				{
 			$$->next = NULL;
 		}
 		| gid PORTBINARY gid		{
+			if ($1 == GID_MAX || $3 == GID_MAX) {
+				yyerror("group unknown requires operator = or !=");
+				YYERROR;
+			}
 			$$ = malloc(sizeof(struct node_gid));
 			if ($$ == NULL)
 				err(1, "gid_item: malloc");
diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5
index eef2d49e932..f6e8546ad84 100644
--- a/share/man/man5/pf.conf.5
+++ b/share/man/man5/pf.conf.5
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: pf.conf.5,v 1.45 2002/05/12 00:54:56 dhartmei Exp $
+.\"	$OpenBSD: pf.conf.5,v 1.46 2002/05/12 15:02:52 dhartmei Exp $
 .\"
 .\" Copyright (c) 2001, Daniel Hartmeier
 .\" All rights reserved.
@@ -281,24 +281,35 @@ listens on the destination port.
 For forwarded connections, where the firewall isn't a connection endpoint,
 the user and group are
 .Em unknown .
+.Pp
 All packets, both outgoing and incoming, of one connection are associated
-with the same user.
+with the same user and group.
 Only TCP and UDP packets can be associated with users, for other protocols
 these parameters are ignored.
+.Pp
 User and group refer to the effective (as opposed to the real) IDs, in
 case the socket is created by a setuid/setgid process.
 Note that user and group IDs are stored when a socket is created;
 when a process creates a listening socket as root (for instance, because
 it wants to bind to a privileged port) and subsequently sets another
 user ID (to drop privileges), the socket's uid remains root.
+.Pp
 User and group IDs can be specified as either numbers or names, the
 syntax is similar to the one for ports.
 The value
 .Em unknown
 matches packets of forwarded connections.
-Example:
+.Em unknown
+can only be used with operators = and !=, other constructs
+like 'user >= unknown' are invalid.
+Forwarded packets with unknown user and group ID match only rules
+that explicitely compare against
+.Em unknown
+with operator = or !=, for instance 'user >= 0' does not match
+forwarded packets.
+The following example allows only selected users to open outgoing
+connections:
 .Bd -literal
-    # allow only specific users to open outgoing connections
     block out proto { tcp, udp } all
     pass  out proto { tcp, udp } all user { < 1000, dhartmei } keep state
 .Ed