From owner-freebsd-ipfw@FreeBSD.ORG Wed Sep 28 07:04:16 2005 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BFACF16A41F; Wed, 28 Sep 2005 07:04:16 +0000 (GMT) (envelope-from bu7cher@yandex.ru) Received: from mail.rdu.kirov.ru (ns.rdu.kirov.ru [217.9.151.217]) by mx1.FreeBSD.org (Postfix) with ESMTP id DE53C43D49; Wed, 28 Sep 2005 07:04:13 +0000 (GMT) (envelope-from bu7cher@yandex.ru) Received: from kirov.so-cdu.ru (kirov [172.21.81.1]) by mail.rdu.kirov.ru (Postfix) with ESMTP id 209D2FEB4; Wed, 28 Sep 2005 11:04:12 +0400 (MSD) Received: from kirov.so-cdu.ru (localhost [127.0.0.1]) by rdu.kirov.ru (Postfix) with SMTP id 0CE6315C85; Wed, 28 Sep 2005 11:04:12 +0400 (MSD) Received: by rdu.kirov.ru (Postfix, from userid 1014) id C70FF15C82; Wed, 28 Sep 2005 11:04:11 +0400 (MSD) Received: from [172.21.81.52] (elsukov.kirov.so-cdu.ru [172.21.81.52]) by rdu.kirov.ru (Postfix) with ESMTP id 9712915C79; Wed, 28 Sep 2005 11:04:11 +0400 (MSD) Message-ID: <433A406B.3000300@yandex.ru> Date: Wed, 28 Sep 2005 11:04:11 +0400 From: "Andrey V. Elsukov" User-Agent: Mozilla Thunderbird 1.0.6 (FreeBSD/20050716) MIME-Version: 1.0 To: ipfw@freebsd.org, hackers@freebsd.org Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: nonprivileged access to ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: bu7cher@yandex.ru List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Sep 2005 07:04:16 -0000 Hi All! I want a nonprivileged access to ipfw (without sudo, suid and etc..). But RAW sockets restrict this. I have an one idea - a pseudo device /dev/ipfw. I think that realisation of this feature is not difficult task. Now i have some questions. 1. I think correctly about following? * adding cdevsw declaration with ipfw_ioctl implementation; * adding make_dev into ipfw initialization function (on MOD_LOAD event); * adding destroy_dev (on MOD_UNLOAD); * adding needed functionaly into /sbin/ipfw. 2. About ipfw_ioctl implemetation: I can pack an ioctl params into sockopt structure and directly call ipfw_ctl function. It's ok? 3. About ioctl requests - What symbol I should place into definition of ioctl request? On what it depends? For example: #define DIOCCLRSTATES _IOWR('D', 18, struct pfioc_state_kill) >>-----------------------------^ 4. I can define only two ioctl requests, for example: IPFWIOCSCMD _IOW('x', 0, struct sockopt_like_struct) IPFWIOCGCMD _IOR('x', 1, struct sockopt_like_struct) and pass IP_FW_XXX sockoption's into sockopt_like_struct member, or I should define two definition (set/get) for each IP_FW_XXX option? Thanks and sorry for my english :( -- WBR, Andrey V. Elsukov