From owner-p4-projects@FreeBSD.ORG Fri Aug 14 14:47:30 2009 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 0F399106568D; Fri, 14 Aug 2009 14:47:30 +0000 (UTC) Delivered-To: perforce@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C7A09106568C for ; Fri, 14 Aug 2009 14:47:29 +0000 (UTC) (envelope-from marta@FreeBSD.org) Received: from repoman.freebsd.org (repoman.freebsd.org [IPv6:2001:4f8:fff6::29]) by mx1.freebsd.org (Postfix) with ESMTP id B45728FC61 for ; Fri, 14 Aug 2009 14:47:29 +0000 (UTC) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.14.3/8.14.3) with ESMTP id n7EElTkF086706 for ; Fri, 14 Aug 2009 14:47:29 GMT (envelope-from marta@FreeBSD.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.14.3/8.14.3/Submit) id n7EElTnx086704 for perforce@freebsd.org; Fri, 14 Aug 2009 14:47:29 GMT (envelope-from marta@FreeBSD.org) Date: Fri, 14 Aug 2009 14:47:29 GMT Message-Id: <200908141447.n7EElTnx086704@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to marta@FreeBSD.org using -f From: Marta Carbone To: Perforce Change Reviews Cc: Subject: PERFORCE change 167327 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Aug 2009 14:47:30 -0000 http://perforce.freebsd.org/chv.cgi?CH=167327 Change 167327 by marta@marta_onelab1 on 2009/08/14 14:47:13 Added some missing files (related to the previous commit), integrate with head. Affected files ... .. //depot/projects/soc2009/marta_ipfw/src/lib/libc/posix1e/Makefile.inc#2 integrate .. //depot/projects/soc2009/marta_ipfw/src/lib/libc/posix1e/mac.3#2 integrate .. //depot/projects/soc2009/marta_ipfw/src/lib/libc/posix1e/mac_free.3#2 integrate .. //depot/projects/soc2009/marta_ipfw/src/lib/libc/posix1e/mac_get.3#2 integrate .. //depot/projects/soc2009/marta_ipfw/src/lib/libc/posix1e/mac_set.3#2 integrate .. //depot/projects/soc2009/marta_ipfw/src/lib/libc/posix1e/mac_text.3#2 integrate .. //depot/projects/soc2009/marta_ipfw/src/lib/libc/posix1e/posix1e.3#2 integrate .. //depot/projects/soc2009/marta_ipfw/src/lib/libipfw/Makefile#1 add .. //depot/projects/soc2009/marta_ipfw/src/lib/libkvm/kvm_vnet.c#2 integrate .. //depot/projects/soc2009/marta_ipfw/src/sbin/ipfw/ipv6.c#2 edit .. //depot/projects/soc2009/marta_ipfw/src/sys/netinet/ipfw/ip_fw2.c#2 integrate Differences ... ==== //depot/projects/soc2009/marta_ipfw/src/lib/libc/posix1e/Makefile.inc#2 (text+ko) ==== @@ -1,4 +1,4 @@ -# $FreeBSD: src/lib/libc/posix1e/Makefile.inc,v 1.22 2009/07/14 19:37:53 trasz Exp $ +# $FreeBSD: src/lib/libc/posix1e/Makefile.inc,v 1.23 2009/08/12 10:46:48 rwatson Exp $ .PATH: ${.CURDIR}/posix1e @@ -106,14 +106,16 @@ mac_get.3 mac_get_fd.3 \ mac_get.3 mac_get_file.3 \ mac_get.3 mac_get_link.3 \ + mac_get.3 mac_get_peer.3 \ mac_get.3 mac_get_pid.3 \ mac_get.3 mac_get_proc.3 \ mac_prepare.3 mac_prepare_file_label.3 \ mac_prepare.3 mac_prepare_ifnet_label.3 \ mac_prepare.3 mac_prepare_process_label.3 \ - mac_set.3 mac_set_link.3 \ + mac_prepare.3 mac_prepare_type.3 \ mac_set.3 mac_set_fd.3 \ mac_set.3 mac_set_file.3 \ + mac_set.3 mac_set_link.3 \ mac_set.3 mac_set_proc.3 \ mac_text.3 mac_from_text.3 \ mac_text.3 mac_to_text.3 ==== //depot/projects/soc2009/marta_ipfw/src/lib/libc/posix1e/mac.3#2 (text+ko) ==== @@ -1,4 +1,5 @@ .\" Copyright (c) 2001, 2003 Networks Associates Technology, Inc. +.\" Copyright (c) 2009 Robert N. M. Watson .\" All rights reserved. .\" .\" This software was developed for the FreeBSD Project by Chris @@ -28,9 +29,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $FreeBSD: src/lib/libc/posix1e/mac.3,v 1.15 2005/07/31 03:30:44 keramida Exp $ +.\" $FreeBSD: src/lib/libc/posix1e/mac.3,v 1.16 2009/08/12 10:46:48 rwatson Exp $ .\" -.Dd April 19, 2003 +.Dd August 7, 2009 .Dt MAC 3 .Os .Sh NAME @@ -44,81 +45,82 @@ In the kernel configuration file: .Cd "options MAC" .Sh DESCRIPTION -.Fx -permits administrators to define Mandatory Access Control labels -defining levels for the privacy and integrity of data, -overriding discretionary policies -for those objects. -Not all objects currently provide support for MAC labels, -and MAC support must be explicitly enabled by the administrator. -The library calls include routines to retrieve, duplicate, -and set MAC labels associated with files and processes. +Mandatory Access Control labels describe confidentiality, integrity, and +other security attributes of operating system objects, overriding +discretionary access control. +Not all system objects support MAC labeling, and MAC policies must be +explicitly enabled by the administrator. +This API, based on POSIX.1e, includes routines to retrieve, manipulate, set, +and convert to and from text the MAC labels on files and processes. +.Pp +MAC labels consist of a set of (name, value) tuples, representing security +attributes from MAC policies. +For example, this label contains security labels defined by two policies, +.Xr mac_biba 4 +and +.Xr mac_mls 4 : +.Bd -literal -offset indent +biba/low,mls/low +.Ed +.Pp +Further syntax and semantics of MAC labels may be found in +.Xr maclabel 7 . +.Pp +Applications operate on labels stored in +.Vt mac_t , +but can convert between this internal format and a text format for the +purposes of presentation to uses or external storage. +When querying a label on an object, a +.Vt mac_t +must first be prepared using the interfaces described in +.Xr mac_prepare 3 , +allowing the application to declare which policies it wishes to interogate. +The application writer can also rely on default label names declared in +.Xr mac.conf 5 . .Pp -POSIX.1e describes a set of MAC manipulation routines -to manage the contents of MAC labels, -as well as their relationships with -files and processes; -almost all of these support routines -are implemented in -.Fx . +When finished with a +.Vt mac_t , +the application must call +.Xr mac_free 3 +to release its storage. .Pp -Available functions, sorted by behavior, include: +The following functions are defined: .Bl -tag -width indent -.It Fn mac_get_fd -This function is described in +.It Fn mac_is_present +This function, described in +.Xr mac_is_present 3 , +allows applications to test whether MAC is configured, as well as whether +specific policies are configured. +.It Fn mac_get_fd , Fn mac_get_file , Fn mac_get_link , Fn mac_get_peer +These functions, described in .Xr mac_get 3 , -and may be used to retrieve the -MAC label associated with -a specific file descriptor. -.It Fn mac_get_file -This function is described in +retrieve the MAC labels associated with file descriptors, files, and socket +peers. +.It Fn mac_get_pid , Fn mac_get_proc +These functions, described in .Xr mac_get 3 , -and may be used to retrieve the -MAC label associated with -a named file. -.It Fn mac_get_proc -This function is described in -.Xr mac_get 3 , -and may be used to retrieve the -MAC label associated with -the calling process. -.It Fn mac_set_fd -This function is described in +retrieve the MAC labels associated with processes. +.It Fn mac_set_fd , Fn mac_set_file , Fn mac_set_link +These functions, described in .Xr mac_set 3 , -and may be used to set the -MAC label associated with -a specific file descriptor. -.It Fn mac_set_file -This function is described in -.Xr mac_set 3 , -and may be used to set the -MAC label associated with -a named file. +set the MAC labels associated with file descriptors and files. .It Fn mac_set_proc -This function is described in +This function, described in .Xr mac_set 3 , -and may be used to set the -MAC label associated with -the calling process. +sets the MAC label associated with the current process. .It Fn mac_free -This function is described in +This function, desribed in .Xr mac_free 3 , -and may be used to free -userland working MAC label storage. +frees working MAC label storage. .It Fn mac_from_text -This function is described in +This function, described in .Xr mac_text 3 , -and may be used to convert -a text-form MAC label -into a working +converts a text-form MAC label into working MAC label storage, .Vt mac_t . -.It Fn mac_prepare -.It Fn mac_prepare_file_label -.It Fn mac_prepare_ifnet_label -.It Fn mac_prepare_process_label -These functions are described in +.It Fn mac_prepare , Fn mac_prepare_file_label , Fn mac_prepare_ifnet_label , Fn mac_prepare_process_label , Fn mac_prepare_type +These functions, described in .Xr mac_prepare 3 , -and may be used to preallocate storage for MAC label retrieval. +allocate working storage for MAC label operations. .Xr mac_prepare 3 prepares a label based on caller-specified label names; the other calls rely on the default configuration specified in @@ -130,15 +132,6 @@ .Vt mac_t into a text-form MAC label. .El -The behavior of some of these calls is influenced by the configuration -settings found in -.Xr mac.conf 5 , -the MAC library run-time configuration file. -.Sh IMPLEMENTATION NOTES -.Fx Ns 's -support for POSIX.1e interfaces and features -is -.Ud . .Sh FILES .Bl -tag -width ".Pa /etc/mac.conf" -compact .It Pa /etc/mac.conf @@ -150,24 +143,20 @@ .Sh SEE ALSO .Xr mac_free 3 , .Xr mac_get 3 , +.Xr mac_is_present 3 , .Xr mac_prepare 3 , .Xr mac_set 3 , .Xr mac_text 3 , +.Xr posix1e 3 , .Xr mac 4 , .Xr mac.conf 5 , .Xr mac 9 .Sh STANDARDS -These APIs are loosely based on the APIs described in POSIX.1e. -POSIX.1e is described in IEEE POSIX.1e draft 17. -Discussion of the draft -continues on the cross-platform POSIX.1e implementation mailing list. -To join this list, see the -.Fx -POSIX.1e implementation page -for more information. -However, the resemblance of these APIs to the POSIX APIs is only loose, -as the POSIX APIs were unable to express many notions required for -flexible and extensible access control. +These APIs are loosely based on the APIs described in POSIX.1e, as described +in IEEE POSIX.1e draft 17. +However, the resemblence of these APIS to the POSIX APIs is loose, as the +PSOXI APIS were unable to express some notinos required for flexible and +extensible access control. .Sh HISTORY Support for Mandatory Access Control was introduced in .Fx 5.0 ==== //depot/projects/soc2009/marta_ipfw/src/lib/libc/posix1e/mac_free.3#2 (text+ko) ==== @@ -31,7 +31,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $FreeBSD: src/lib/libc/posix1e/mac_free.3,v 1.6 2003/08/22 18:01:03 rwatson Exp $ +.\" $FreeBSD: src/lib/libc/posix1e/mac_free.3,v 1.7 2009/08/12 10:46:48 rwatson Exp $ .\" .Dd December 21, 2001 .Dt MAC_FREE 3 @@ -64,6 +64,7 @@ .Xr mac_prepare 3 , .Xr mac_set 3 , .Xr mac_text 3 , +.Xr posix1e 3 , .Xr mac 4 , .Xr mac 9 .Sh STANDARDS @@ -91,8 +92,8 @@ .Tn TrustedBSD implementation, .Fn mac_free -is specific to that type, and must not be used to free the character -strings returned from +is specific to +.Vt mac_3 , +and must not be used to free the character strings returned from .Fn mac_to_text . -Doing so may result in undefined behavior, -including application failure. +Doing so may result in undefined behavior. ==== //depot/projects/soc2009/marta_ipfw/src/lib/libc/posix1e/mac_get.3#2 (text+ko) ==== @@ -28,7 +28,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $FreeBSD: src/lib/libc/posix1e/mac_get.3,v 1.10 2004/06/30 20:09:09 ru Exp $ +.\" $FreeBSD: src/lib/libc/posix1e/mac_get.3,v 1.11 2009/08/12 10:46:48 rwatson Exp $ .\" .Dd December 21, 2001 .Dt MAC_GET 3 @@ -133,6 +133,7 @@ .Xr mac_prepare 3 , .Xr mac_set 3 , .Xr mac_text 3 , +.Xr posix1e 3 , .Xr mac 4 , .Xr mac 9 .Sh STANDARDS ==== //depot/projects/soc2009/marta_ipfw/src/lib/libc/posix1e/mac_set.3#2 (text+ko) ==== @@ -28,7 +28,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $FreeBSD: src/lib/libc/posix1e/mac_set.3,v 1.11 2006/07/07 14:02:17 rwatson Exp $ +.\" $FreeBSD: src/lib/libc/posix1e/mac_set.3,v 1.12 2009/08/12 10:46:48 rwatson Exp $ .\" .Dd January 14, 2003 .Dt MAC_SET 3 @@ -138,6 +138,7 @@ .Xr mac_is_present 3 , .Xr mac_prepare 3 , .Xr mac_text 3 , +.Xr posix1e 3 , .Xr mac 4 , .Xr mac 9 .Sh HISTORY ==== //depot/projects/soc2009/marta_ipfw/src/lib/libc/posix1e/mac_text.3#2 (text+ko) ==== @@ -28,7 +28,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $FreeBSD: src/lib/libc/posix1e/mac_text.3,v 1.12 2006/07/07 14:02:17 rwatson Exp $ +.\" $FreeBSD: src/lib/libc/posix1e/mac_text.3,v 1.13 2009/08/12 10:46:48 rwatson Exp $ .\" .Dd December 21, 2001 .Dt MAC_TEXT 3 @@ -98,6 +98,7 @@ .Xr mac_is_present 3 , .Xr mac_prepare 3 , .Xr mac_set 3 , +.Xr posix1e 3 , .Xr mac 4 , .Xr maclabel 7 .Sh STANDARDS ==== //depot/projects/soc2009/marta_ipfw/src/lib/libc/posix1e/posix1e.3#2 (text+ko) ==== @@ -1,5 +1,5 @@ .\"- -.\" Copyright (c) 2000 Robert N. M. Watson +.\" Copyright (c) 2000, 2009 Robert N. M. Watson .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without @@ -23,9 +23,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $FreeBSD: src/lib/libc/posix1e/posix1e.3,v 1.28 2009/05/19 22:28:33 brueffer Exp $ +.\" $FreeBSD: src/lib/libc/posix1e/posix1e.3,v 1.29 2009/08/12 10:46:48 rwatson Exp $ .\" -.Dd May 20, 2009 +.Dd August 7, 2009 .Dt POSIX1E 3 .Os .Sh NAME @@ -36,99 +36,77 @@ .Sh SYNOPSIS .In sys/types.h .In sys/acl.h -.\" .In sys/capability.h .In sys/mac.h .Sh DESCRIPTION -The IEEE POSIX.1e specification never left draft form, but the interfaces -it describes are now widely used despite inherent limitations. -Currently, only a few of the interfaces and features are implemented in -.Fx , -although efforts are underway to complete the integration at this time. +POSIX.1e describes five security extensions to the POSIX.1 API: Access +Control Lists (ACLs), Auditing, Capabilities, Mandatory Access Control, and +Information Flow Labels. +While IEEE POSIX.1e D17 specification has not been standardized, several of +its interfaces are widely used. .Pp -POSIX.1e describes five security extensions to the base POSIX.1 API: -Access Control Lists (ACLs), Auditing, Capabilities, Mandatory Access -Control, and Information Flow Labels. .Fx -supports POSIX.1e ACL interfaces, as well as POSIX.1e-like MAC -interfaces. -The TrustedBSD Project has produced but not integrated an implementation -of POSIX.1e Capabilities. +implements POSIX.1e interface for access control lists, described in +.Xr acl 3 , +and supports ACLs on the +.Xr ffs 7 +file system; ACLs must be administratively enabled using +.Xr tunefs 8 . .Pp -POSIX.1e defines both syntax and semantics for these features, but fairly -substantial changes are required to implement these features in the -operating system. +.Fx +implements a POSIX.1e-like mandatory access control interface, described in +.Xr mac 3 , +although with a number of extensions and important semantic differences. .Pp -As shipped, -.Fx 4.0 -provides API and VFS support for ACLs, but not an implementation on any -native file system. -.Fx 5.0 -includes support for ACLs as part of UFS1 and UFS2, as well as necessary -VFS support for additional file systems to export ACLs as appropriate. -Available API calls relating to ACLs are described in detail in -.Xr acl 3 . -.Pp -As shipped, -.Fx 5.0 -includes support for Mandatory Access Control as well as POSIX.1e-like -APIs for label management. -More information on API calls relating to MAC is available in -.Xr mac 3 . -.Pp -Additional patches supporting POSIX.1e features are provided by the -TrustedBSD project: -.Pp -http://www.TrustedBSD.org/ -.Sh IMPLEMENTATION NOTES -.Fx Ns 's -support for POSIX.1e interfaces and features is still under -development at this time, and many of these features are considered new -or experimental. +.Fx +does not implement the POSIX.1e audit, privilege (capability), or information +flow label APIs. +However, +.Fx +does implement the +.Xr libbsm +audit API. .Sh ENVIRONMENT -POSIX.1e assigns security labels to all objects, extending the security +POSIX.1e assigns security attributes to all objects, extending the security functionality described in POSIX.1. -These additional labels provide -fine-grained discretionary access control, fine-grained capabilities, -and labels necessary for mandatory access control. +These additional attributes store fine-grained discretionary access control +information and mandatory access control labels; for files, they are stored +in extended attributes, described in +.Xr extattr 3 . +.Pp POSIX.2c describes -a set of userland utilities for manipulating these labels. -.Pp -Many of these services are supported by extended attributes, documented -in -.Xr extattr 2 +a set of userland utilities for manipulating these attributes, including +.Xr getfacl 1 +and +.Xr setfacl 1 +for access control lists, and +.Xr getfmac 8 and -.Xr extattr 9 . -While these APIs are not documented in POSIX.1e, they are similar in -structure. +.Xr setfmac 8 +for mandatory access control labels. .Sh SEE ALSO +.Xr getfacl 1 , +.Xr setfacl 1 , .Xr extattr 2 , .Xr acl 3 , +.Xr extattr 3 , .Xr libbsm 3 , .Xr mac 3 , +.Xr ffs 7 , +.Xr getfmac 8 , +.Xr setfmac 8 , +.Xr tunefs 8 , .Xr acl 9 , .Xr extattr 9 , .Xr mac 9 .Sh STANDARDS POSIX.1e is described in IEEE POSIX.1e draft 17. -Discussion of the draft continues -on the cross-platform POSIX.1e implementation -mailing list. -To join this list, see the -.Fx -POSIX.1e implementation -page for more information. .Sh HISTORY POSIX.1e support was introduced in .Fx 4.0 ; -most of the features are available as of +most features were available as of .Fx 5.0 . -Development continues. .Sh AUTHORS .An Robert N M Watson .An Chris D. Faulhaber .An Thomas Moestl .An Ilmar S Habibulin -.Sh BUGS -Many of these features are considered new or experimental in -.Fx 5.0 -and should be deployed with appropriate caution. ==== //depot/projects/soc2009/marta_ipfw/src/lib/libkvm/kvm_vnet.c#2 (text+ko) ==== @@ -26,7 +26,7 @@ */ #include -__FBSDID("$FreeBSD: src/lib/libkvm/kvm_vnet.c,v 1.2 2009/08/01 19:26:27 rwatson Exp $"); +__FBSDID("$FreeBSD: src/lib/libkvm/kvm_vnet.c,v 1.3 2009/08/13 14:59:04 bz Exp $"); #include @@ -195,7 +195,7 @@ kd->vnet_start = nl[NLIST_START_VNET].n_value; kd->vnet_stop = nl[NLIST_STOP_VNET].n_value; kd->vnet_current = (uintptr_t)prison.pr_vnet; - kd->vnet_base = (uintptr_t)vnet.vnet_data_mem - kd->vnet_start; + kd->vnet_base = vnet.vnet_data_base; return (0); } ==== //depot/projects/soc2009/marta_ipfw/src/sbin/ipfw/ipv6.c#2 (text+ko) ==== @@ -23,6 +23,7 @@ */ #include +#include #include #include "ipfw2.h" @@ -66,35 +67,35 @@ } void -print_unreach6_code(uint16_t code) +print_unreach6_code(uint16_t code, struct sbuf *out) { char const *s = match_value(icmp6codes, code); if (s != NULL) - printf("unreach6 %s", s); + sbuf_printf(out, "unreach6 %s", s); else - printf("unreach6 %u", code); + sbuf_printf(out, "unreach6 %u", code); } /* * Print the ip address contained in a command. */ void -print_ip6(ipfw_insn_ip6 *cmd, char const *s) +print_ip6(ipfw_insn_ip6 *cmd, char const *s, struct sbuf *out, struct cmdline_opts *co) { struct hostent *he = NULL; int len = F_LEN((ipfw_insn *) cmd) - 1; struct in6_addr *a = &(cmd->addr6); char trad[255]; - printf("%s%s ", cmd->o.len & F_NOT ? " not": "", s); + sbuf_printf(out, "%s%s ", cmd->o.len & F_NOT ? " not": "", s); if (cmd->o.opcode == O_IP6_SRC_ME || cmd->o.opcode == O_IP6_DST_ME) { - printf("me6"); + sbuf_printf(out, "me6"); return; } if (cmd->o.opcode == O_IP6) { - printf(" ip6"); + sbuf_printf(out, " ip6"); return; } @@ -109,24 +110,24 @@ (cmd->o.opcode == O_IP6_SRC || cmd->o.opcode == O_IP6_DST) ? 128 : contigmask((uint8_t *)&(a[1]), 128); - if (mb == 128 && co.do_resolv) + if (mb == 128 && co->do_resolv) he = gethostbyaddr((char *)a, sizeof(*a), AF_INET6); if (he != NULL) /* resolved to name */ - printf("%s", he->h_name); + sbuf_printf(out, "%s", he->h_name); else if (mb == 0) /* any */ - printf("any"); + sbuf_printf(out, "any"); else { /* numeric IP followed by some kind of mask */ if (inet_ntop(AF_INET6, a, trad, sizeof( trad ) ) == NULL) - printf("Error ntop in print_ip6\n"); - printf("%s", trad ); + sbuf_printf(out, "Error ntop in print_ip6\n"); + sbuf_printf(out, "%s", trad ); if (mb < 0) /* XXX not really legal... */ - printf(":%s", + sbuf_printf(out, ":%s", inet_ntop(AF_INET6, &a[1], trad, sizeof(trad))); else if (mb < 128) - printf("/%d", mb); + sbuf_printf(out, "/%d", mb); } if (len > 2) - printf(","); + sbuf_printf(out, ","); } } @@ -158,32 +159,32 @@ void -print_icmp6types(ipfw_insn_u32 *cmd) +print_icmp6types(ipfw_insn_u32 *cmd, struct sbuf *out) { int i, j; char sep= ' '; - printf(" ip6 icmp6types"); + sbuf_printf(out, " ip6 icmp6types"); for (i = 0; i < 7; i++) for (j=0; j < 32; ++j) { if ( (cmd->d[i] & (1 << (j))) == 0) continue; - printf("%c%d", sep, (i*32 + j)); + sbuf_printf(out, "%c%d", sep, (i*32 + j)); sep = ','; } } void -print_flow6id( ipfw_insn_u32 *cmd) +print_flow6id( ipfw_insn_u32 *cmd, struct sbuf *out) { uint16_t i, limit = cmd->o.arg1; char sep = ','; - printf(" flow-id "); + sbuf_printf(out, " flow-id "); for( i=0; i < limit; ++i) { if (i == limit - 1) sep = ' '; - printf("%d%c", cmd->d[i], sep); + sbuf_printf(out, "%d%c", cmd->d[i], sep); } } @@ -258,41 +259,41 @@ } void -print_ext6hdr( ipfw_insn *cmd ) +print_ext6hdr( ipfw_insn *cmd, struct sbuf *out) { char sep = ' '; - printf(" extension header:"); + sbuf_printf(out, " extension header:"); if (cmd->arg1 & EXT_FRAGMENT ) { - printf("%cfragmentation", sep); + sbuf_printf(out, "%cfragmentation", sep); sep = ','; } if (cmd->arg1 & EXT_HOPOPTS ) { - printf("%chop options", sep); + sbuf_printf(out, "%chop options", sep); sep = ','; } if (cmd->arg1 & EXT_ROUTING ) { - printf("%crouting options", sep); + sbuf_printf(out, "%crouting options", sep); sep = ','; } if (cmd->arg1 & EXT_RTHDR0 ) { - printf("%crthdr0", sep); + sbuf_printf(out, "%crthdr0", sep); sep = ','; } if (cmd->arg1 & EXT_RTHDR2 ) { - printf("%crthdr2", sep); + sbuf_printf(out, "%crthdr2", sep); sep = ','; } if (cmd->arg1 & EXT_DSTOPTS ) { - printf("%cdestination options", sep); + sbuf_printf(out, "%cdestination options", sep); sep = ','; } if (cmd->arg1 & EXT_AH ) { - printf("%cauthentication header", sep); + sbuf_printf(out, "%cauthentication header", sep); sep = ','; } if (cmd->arg1 & EXT_ESP ) { - printf("%cencapsulated security payload", sep); + sbuf_printf(out, "%cencapsulated security payload", sep); } } ==== //depot/projects/soc2009/marta_ipfw/src/sys/netinet/ipfw/ip_fw2.c#2 (text+ko) ==== @@ -24,7 +24,7 @@ */ #include -__FBSDID("$FreeBSD: src/sys/netinet/ipfw/ip_fw2.c,v 1.11 2009/08/01 19:26:27 rwatson Exp $"); +__FBSDID("$FreeBSD: src/sys/netinet/ipfw/ip_fw2.c,v 1.12 2009/08/14 10:09:45 julian Exp $"); #define DEB(x) #define DDB(x) x @@ -2057,7 +2057,7 @@ dst_ip, htons(dst_port), wildcard, NULL); if (pcb != NULL) { - *uc = crhold(inp->inp_cred); + *uc = crhold(pcb->inp_cred); *ugid_lookupp = 1; } INP_INFO_RUNLOCK(pi);