From nobody Tue Apr 21 11:32:52 2026 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4g0KwP2sPVz6bfhw for ; Tue, 21 Apr 2026 11:32:53 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4g0KwN6rqdz3XMc for ; Tue, 21 Apr 2026 11:32:52 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1776771172; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=eBxKZYE94XXc8NtWWrB9CBTh5ndB6gwMinWbYOc88LE=; b=BiYyAD9qGqs4H16pwvu+5hDOWjamrysiTnh/URXVcIK7ddhxTREl3HDzyXSkOssrmbu8DR 2DkbByvphR5c9iZ1e9O1RMX8dScVfLf2nRjylMyO1bIeWkRgG9f1ikUXUSKC/LJ4D4RsNI XCAf/gmdRVjXWWC/DNfxVyZeJWsqTZ7lRtdVE7WkM2sDsrLtot7BwFpZ2AnqBCj0Jt4UgD 6pwjodUPKA51zWhsa9jewsYqknizZjAU+lZ/1v0JwR4gCtYMxQVf6SX7NTL/h4D6+EoXHG agkRkHCAkjxPzSHK4dX96ULLfqzRJGiPNuY6/toFWN1thh1n/x93GbUvXxY5dw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1776771172; a=rsa-sha256; cv=none; b=fwUXJNVca0AoYSbXGyutkEXh392ZJdvMh3H3Ln6f6olwVR1g4brmr5Wm2LSAB25y1Aqy6p DDGiLOd5lmpRWyuFqa3S8CgcKURSlMdZ74yktWTt1S4Xa4Uqy7LShSpLa9BXOMmgBX7TUi HahnrcGg6a9cl0yu1amXANCQKYhUx520FAgrlgJJWsedDe1d0OZs2U+EPDGFmFaWtz4N1p jScReSujl+oakOiDTIsN/WaTL+ZADEnCGEIABCZmGIv4OuYW8VKWASlAWpBq2XNYH2Imkb mqD0qSrCveFVIuUAb/CeaA6k9fPKbWc5l9weBcvt4m3FvINomquvBPIIfMtg0g== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1776771172; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=eBxKZYE94XXc8NtWWrB9CBTh5ndB6gwMinWbYOc88LE=; b=VVWip9F5svxgz3/7n/keW8RpIdtYPiZ/V89CjaVsCMjm3kF3rIPaSZDklhXlXYwvgvOr7W EwsjQ93YZb+95KQQ810Hzzo6a9UdNVdnxpZ7OmBGVbeglEYKYsevoXJbeaTyCs7Zj2axrd hDggavAQC1YZ0c9MHSKEIM/4xYjAPU1SsrF+fP0FawAQyYCRcFiI+wS1spNSs7eTjYoIe3 Pnm93Kh2bgz4VJB46z23ODksXkfIa5hjbmvIR23Ypt57RX8ik2yb0qNd5+mUTLjru5cyx0 nyVo8cTMqH7diPocVaxaPLXyIrDhLf8xT+5/wr6HQGxYgWdQEQ8TJwctEKbH9Q== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4g0KwN6STvzj7C for ; Tue, 21 Apr 2026 11:32:52 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 42067 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 21 Apr 2026 11:32:52 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kristof Provost Subject: git: 9933bdcb1264 - main - pf: only allow a subset of netlink calls when securelevel is set List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 9933bdcb12641839b7396ccd0c6b8a2d55d12744 Auto-Submitted: auto-generated Date: Tue, 21 Apr 2026 11:32:52 +0000 Message-Id: <69e76064.42067.611e2563@gitrepo.freebsd.org> The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=9933bdcb12641839b7396ccd0c6b8a2d55d12744 commit 9933bdcb12641839b7396ccd0c6b8a2d55d12744 Author: Kristof Provost AuthorDate: 2026-04-20 06:36:17 +0000 Commit: Kristof Provost CommitDate: 2026-04-21 09:51:28 +0000 pf: only allow a subset of netlink calls when securelevel is set Extend the genl_cmd struct to allow calls to also carry a securelevel. If that's set compare the current securelevel to only allow the call if the level is lower than that. If no value is specified continue to allow calls in any securelevel, as before. This allows us to easily implement the same securelevel restrictions for pf as we have for the corresponding ioctls. Reviewed by: glebius MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D56390 --- sys/netlink/netlink_ctl.h | 3 +++ sys/netlink/netlink_generic.c | 7 +++++++ sys/netpfil/pf/pf_nl.c | 47 +++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 57 insertions(+) diff --git a/sys/netlink/netlink_ctl.h b/sys/netlink/netlink_ctl.h index 7f43e0f2c25e..4740d306dd54 100644 --- a/sys/netlink/netlink_ctl.h +++ b/sys/netlink/netlink_ctl.h @@ -89,6 +89,9 @@ struct genl_cmd { uint32_t cmd_flags; uint32_t cmd_priv; uint32_t cmd_num; + + /* Disallow this call from this level up (inclusive). */ + uint32_t cmd_securelevel; }; uint16_t genl_register_family(const char *family_name, size_t hdrsize, diff --git a/sys/netlink/netlink_generic.c b/sys/netlink/netlink_generic.c index d20ec4c7545f..3a73ecc0b339 100644 --- a/sys/netlink/netlink_generic.c +++ b/sys/netlink/netlink_generic.c @@ -150,6 +150,13 @@ genl_handle_message(struct nlmsghdr *hdr, struct nl_pstate *npt) return (EPERM); } + if (cmd->cmd_securelevel > 0 && + securelevel_ge(nlp_get_cred(nlp), cmd->cmd_securelevel)) { + NLP_LOG(LOG_DEBUG, nlp, "family %s: cmd %d securelevel_gt() failed", + gf->family_name, ghdr->cmd); + return (EPERM); + } + NLP_LOG(LOG_DEBUG2, nlp, "received family %s cmd %s(%d) len %d", gf->family_name, cmd->cmd_name, ghdr->cmd, hdr->nlmsg_len); diff --git a/sys/netpfil/pf/pf_nl.c b/sys/netpfil/pf/pf_nl.c index c2ea65f4b043..e4ce9e64f637 100644 --- a/sys/netpfil/pf/pf_nl.c +++ b/sys/netpfil/pf/pf_nl.c @@ -2872,6 +2872,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_getstates, .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, { .cmd_num = PFNL_CMD_GETCREATORS, @@ -2879,6 +2880,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_getcreators, .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, { .cmd_num = PFNL_CMD_START, @@ -2886,6 +2888,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_start, .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 2, }, { .cmd_num = PFNL_CMD_STOP, @@ -2893,6 +2896,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_stop, .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 2, }, { .cmd_num = PFNL_CMD_ADDRULE, @@ -2900,6 +2904,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_addrule, .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 2, }, { .cmd_num = PFNL_CMD_GETRULES, @@ -2907,6 +2912,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_getrules, .cmd_flags = GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, { .cmd_num = PFNL_CMD_GETRULE, @@ -2914,6 +2920,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_getrule, .cmd_flags = GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, { .cmd_num = PFNL_CMD_CLRSTATES, @@ -2921,6 +2928,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_clear_states, .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 2, }, { .cmd_num = PFNL_CMD_KILLSTATES, @@ -2928,6 +2936,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_kill_states, .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 2, }, { .cmd_num = PFNL_CMD_SET_STATUSIF, @@ -2935,6 +2944,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_set_statusif, .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 2, }, { .cmd_num = PFNL_CMD_GET_STATUS, @@ -2942,6 +2952,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_get_status, .cmd_flags = GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, { .cmd_num = PFNL_CMD_CLEAR_STATUS, @@ -2949,6 +2960,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_clear_status, .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 2, }, { .cmd_num = PFNL_CMD_NATLOOK, @@ -2956,6 +2968,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_natlook, .cmd_flags = GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, { .cmd_num = PFNL_CMD_SET_DEBUG, @@ -2963,6 +2976,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_set_debug, .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 2, }, { .cmd_num = PFNL_CMD_SET_TIMEOUT, @@ -2970,6 +2984,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_set_timeout, .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 2, }, { .cmd_num = PFNL_CMD_GET_TIMEOUT, @@ -2977,6 +2992,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_get_timeout, .cmd_flags = GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, { .cmd_num = PFNL_CMD_SET_LIMIT, @@ -2984,6 +3000,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_set_limit, .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 2, }, { .cmd_num = PFNL_CMD_GET_LIMIT, @@ -2991,6 +3008,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_get_limit, .cmd_flags = GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, { .cmd_num = PFNL_CMD_BEGIN_ADDRS, @@ -2998,6 +3016,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_begin_addrs, .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, { .cmd_num = PFNL_CMD_ADD_ADDR, @@ -3005,6 +3024,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_add_addr, .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, { .cmd_num = PFNL_CMD_GET_ADDRS, @@ -3012,6 +3032,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_get_addrs, .cmd_flags = GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, { .cmd_num = PFNL_CMD_GET_ADDR, @@ -3019,6 +3040,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_get_addr, .cmd_flags = GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, { .cmd_num = PFNL_CMD_GET_RULESETS, @@ -3026,6 +3048,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_get_rulesets, .cmd_flags = GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, { .cmd_num = PFNL_CMD_GET_RULESET, @@ -3033,6 +3056,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_get_ruleset, .cmd_flags = GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, { .cmd_num = PFNL_CMD_GET_SRCNODES, @@ -3040,6 +3064,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_get_srcnodes, .cmd_flags = GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, { .cmd_num = PFNL_CMD_CLEAR_TABLES, @@ -3047,6 +3072,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_clear_tables, .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 2, }, { .cmd_num = PFNL_CMD_ADD_TABLE, @@ -3054,6 +3080,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_add_table, .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 2, }, { .cmd_num = PFNL_CMD_DEL_TABLE, @@ -3061,6 +3088,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_del_table, .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 2, }, { .cmd_num = PFNL_CMD_GET_TSTATS, @@ -3068,6 +3096,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_get_tstats, .cmd_flags = GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, { .cmd_num = PFNL_CMD_CLR_TSTATS, @@ -3075,6 +3104,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_clear_tstats, .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, { .cmd_num = PFNL_CMD_CLR_ADDRS, @@ -3082,6 +3112,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_clear_addrs, .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, { .cmd_num = PFNL_CMD_TABLE_ADD_ADDR, @@ -3089,6 +3120,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_table_add_addrs, .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, { .cmd_num = PFNL_CMD_TABLE_DEL_ADDR, @@ -3096,6 +3128,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_table_del_addrs, .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, { .cmd_num = PFNL_CMD_TABLE_SET_ADDR, @@ -3103,6 +3136,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_table_set_addrs, .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, { .cmd_num = PFNL_CMD_TABLE_GET_ADDR, @@ -3110,6 +3144,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_table_get_addrs, .cmd_flags = GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, { .cmd_num = PFNL_CMD_TABLE_GET_ASTATS, @@ -3117,6 +3152,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_table_get_astats, .cmd_flags = GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, { .cmd_num = PFNL_CMD_TABLE_CLEAR_ASTATS, @@ -3124,6 +3160,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_table_clear_astats, .cmd_flags = GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, { .cmd_num = PFNL_CMD_STATE_LIMITER_ADD, @@ -3131,6 +3168,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_state_limiter_add, .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 2, }, { .cmd_num = PFNL_CMD_STATE_LIMITER_GET, @@ -3138,6 +3176,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_state_limiter_get, .cmd_flags = GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, { .cmd_num = PFNL_CMD_STATE_LIMITER_NGET, @@ -3145,6 +3184,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_state_limiter_get, .cmd_flags = GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, { .cmd_num = PFNL_CMD_SOURCE_LIMITER_ADD, @@ -3152,6 +3192,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_source_limiter_add, .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 2, }, { .cmd_num = PFNL_CMD_SOURCE_LIMITER_GET, @@ -3159,6 +3200,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_source_limiter_get, .cmd_flags = GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, { .cmd_num = PFNL_CMD_SOURCE_LIMITER_NGET, @@ -3166,6 +3208,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_source_limiter_get, .cmd_flags = GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, { .cmd_num = PFNL_CMD_SOURCE_GET, @@ -3173,6 +3216,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_source_get, .cmd_flags = GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, { .cmd_num = PFNL_CMD_SOURCE_NGET, @@ -3180,6 +3224,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_source_get, .cmd_flags = GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, { .cmd_num = PFNL_CMD_SOURCE_CLEAR, @@ -3187,6 +3232,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_source_clear, .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, { .cmd_num = PFNL_CMD_TABLE_TEST_ADDRS, @@ -3194,6 +3240,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_table_test_addrs, .cmd_flags = GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, };