From owner-freebsd-net@FreeBSD.ORG Wed Mar 14 13:09:29 2007 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5303416A401 for ; Wed, 14 Mar 2007 13:09:29 +0000 (UTC) (envelope-from bms@FreeBSD.org) Received: from out5.smtp.messagingengine.com (out5.smtp.messagingengine.com [66.111.4.29]) by mx1.freebsd.org (Postfix) with ESMTP id 13CB613C457 for ; Wed, 14 Mar 2007 13:09:29 +0000 (UTC) (envelope-from bms@FreeBSD.org) Received: from out1.internal (unknown [10.202.2.149]) by out1.messagingengine.com (Postfix) with ESMTP id B92DA1F88FF; Wed, 14 Mar 2007 09:09:28 -0400 (EDT) Received: from heartbeat1.messagingengine.com ([10.202.2.160]) by out1.internal (MEProxy); Wed, 14 Mar 2007 09:09:28 -0400 X-Sasl-enc: 8nRDUvxKMyDZBptSg+DT3NUkfKK99tGDNeyiUDC5oVEZ 1173877768 Received: from [192.168.123.18] (82-35-112-254.cable.ubr07.dals.blueyonder.co.uk [82.35.112.254]) by mail.messagingengine.com (Postfix) with ESMTP id 4C6DE1F8F3; Wed, 14 Mar 2007 09:09:27 -0400 (EDT) Message-ID: <45F7F405.4040607@FreeBSD.org> Date: Wed, 14 Mar 2007 13:09:25 +0000 From: "Bruce M. Simpson" User-Agent: Thunderbird 1.5.0.9 (X11/20070125) MIME-Version: 1.0 To: Frank Behrens References: <200703091036.l29AawwJ005466@pinky.frank-behrens.de> <200703141213.l2ECDntN087975@pinky.frank-behrens.de> In-Reply-To: <200703141213.l2ECDntN087975@pinky.frank-behrens.de> Content-Type: multipart/mixed; boundary="------------040501000203090403080306" Cc: freebsd-net@freebsd.org Subject: Re: tap(4) should go UP if opened X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Mar 2007 13:09:29 -0000 This is a multi-part message in MIME format. --------------040501000203090403080306 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Hi, Frank Behrens wrote: > If we have no possibility to mark the interface as UP for the non-root process the > net.link.tap.user_open=1 is useless, because we can not transmit any packets. With the > patch the interface goes UP only, when the administrator allowed non-root user access. > > The conditional in the second patch is a no-op as the open will be forbidden if the user did not have privilege to open the tap. Bringing the interface up by default potentially violates POLA, so this should not happen by default. Please try the attached patch, which puts this behaviour under a sysctl. Thanks, BMS --------------040501000203090403080306 Content-Type: text/x-patch; name="tapuponopen.diff" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="tapuponopen.diff" ==== //depot/user/bms/netdev/sys/net/if_tap.c#1 - /home/bms/p4/netdev/sys/net/if_tap.c ==== --- /tmp/tmp.58336.0 Wed Mar 14 13:06:09 2007 +++ /home/bms/p4/netdev/sys/net/if_tap.c Wed Mar 14 13:05:54 2007 @@ -150,7 +150,8 @@ */ static struct mtx tapmtx; static int tapdebug = 0; /* debug flag */ -static int tapuopen = 0; /* allow user open() */ +static int tapuopen = 0; /* allow user open() */ +static int tapuponopen = 0; /* IFF_UP on open() */ static int tapdclone = 1; /* enable devfs cloning */ static SLIST_HEAD(, tap_softc) taphead; /* first device */ static struct clonedevs *tapclones; @@ -164,6 +165,8 @@ "Ethernet tunnel software network interface"); SYSCTL_INT(_net_link_tap, OID_AUTO, user_open, CTLFLAG_RW, &tapuopen, 0, "Allow user to open /dev/tap (based on node permissions)"); +SYSCTL_INT(_net_link_tap, OID_AUTO, up_on_open, CTLFLAG_RW, &tapuponopen, 0, + "Bring interface up when /dev/tap is opened"); SYSCTL_INT(_net_link_tap, OID_AUTO, devfs_cloning, CTLFLAG_RW, &tapdclone, 0, "Enably legacy devfs interface creation"); SYSCTL_INT(_net_link_tap, OID_AUTO, debug, CTLFLAG_RW, &tapdebug, 0, ""); @@ -502,6 +505,8 @@ s = splimp(); ifp->if_drv_flags |= IFF_DRV_RUNNING; ifp->if_drv_flags &= ~IFF_DRV_OACTIVE; + if (tapuponopen) + ifp->if_flags |= IFF_UP; splx(s); TAPDEBUG("%s is open. minor = %#x\n", ifp->if_xname, minor(dev)); --------------040501000203090403080306--