From 4beacf666641de2c7fdf57497a906a87918dcefa Mon Sep 17 00:00:00 2001 From: Colin Percival Date: Fri, 1 Jul 2005 09:51:10 +0000 Subject: [PATCH] Document some limitations of uid/gid rules. Approved by: re (rwatson) MFC after: 3 days --- sbin/ipfw/ipfw.8 | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8 index bc41aadce7d..ae5a8d1de7c 100644 --- a/sbin/ipfw/ipfw.8 +++ b/sbin/ipfw/ipfw.8 @@ -2486,3 +2486,14 @@ applied, making the order of rules in the rule sequence very important. .Pp Dummynet drops all packets with IPv6 link-local addresses. +.Pp +Rules using +.Cm uid +or +.Cm gid +may not behave as expected. In particular, incoming SYN packets may +have no uid or gid associated with them since they do not yet belong +to a TCP connection, and the uid/gid associated with a packet may not +be as expected if the associated process calls +.Xr setuid 2 +or similar system calls.