From 4897e8320ea9209bbeca5845249670da31cca5d8 Mon Sep 17 00:00:00 2001
From: Bill Fumerola <billf@FreeBSD.org>
Date: Wed, 6 Sep 2000 03:10:42 +0000
Subject: [PATCH] 1. IP_FW_F_{UID,GID} are _not_ commands, they are extras. The
 sanity checking for them does not belong in the IP_FW_F_COMMAND switch, that
 mask doesn't even apply to them(!).

2. You cannot add a uid/gid rule to something that isn't TCP, UDP, or IP.

XXX - this should be handled in ipfw(8) as well (for more diagnostic output),
but this at least protects bogus rules from being added.

Pointy hat:	green
---
 sys/netinet/ip_fw.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/sys/netinet/ip_fw.c b/sys/netinet/ip_fw.c
index 4ed2b0b2e0ff..2e2bdd379b38 100644
--- a/sys/netinet/ip_fw.c
+++ b/sys/netinet/ip_fw.c
@@ -1719,6 +1719,13 @@ check_ipfw_struct(struct ip_fw *frwl)
 		}
 	}
 
+	if (frwl->fw_flg & (IP_FW_F_UID | IP_FW_F_GID)) {
+		if (frwl->fw_prot != (IPPROTO_TCP | IPPROTO_UDP | IPPROTO_IP)) {
+			dprintf(("%s cannot use uid/gid logic on non-TCP/UDP\n", err_prefix));
+			return (EINVAL);
+		}
+	}
+
 	/* Check command specific stuff */
 	switch (frwl->fw_flg & IP_FW_F_COMMAND)
 	{
@@ -1752,8 +1759,6 @@ check_ipfw_struct(struct ip_fw *frwl)
 #ifdef IPFIREWALL_FORWARD
 	case IP_FW_F_FWD:
 #endif
-	case IP_FW_F_UID:
-	case IP_FW_F_GID:
 		break;
 	default:
 		dprintf(("%s invalid command\n", err_prefix));