Document some limitations of uid/gid rules.

Approved by: re (rwatson) MFC after: 3 days
2005-07-01 09:51:10 +00:00 · 2005-07-01 09:51:10 +00:00 · 4beacf6666
commit 4beacf6666
parent a196a3c8aa
1 changed files with 11 additions and 0 deletions
--- a/sbin/ipfw/ipfw.8
+++ b/sbin/ipfw/ipfw.8
@ -2486,3 +2486,14 @@ applied, making the order of
 rules in the rule sequence very important.
 .Pp
 Dummynet drops all packets with IPv6 link-local addresses.
+.Pp
+Rules using
+.Cm uid
+or
+.Cm gid
+may not behave as expected.  In particular, incoming SYN packets may 
+have no uid or gid associated with them since they do not yet belong
+to a TCP connection, and the uid/gid associated with a packet may not 
+be as expected if the associated process calls
+.Xr setuid 2
+or similar system calls.