From owner-cvs-all  Mon Jan 13  3:31:10 2003
Delivered-To: cvs-all@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 68FF937B405; Mon, 13 Jan 2003 03:31:08 -0800 (PST)
Received: from mailman.zeta.org.au (mailman.zeta.org.au [203.26.10.16])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id D460B43E4A; Mon, 13 Jan 2003 03:31:06 -0800 (PST)
	(envelope-from bde@zeta.org.au)
Received: from katana.zip.com.au (katana.zip.com.au [61.8.7.246])
	by mailman.zeta.org.au (8.9.3/8.8.7) with ESMTP id WAA23619;
	Mon, 13 Jan 2003 22:30:51 +1100
Date: Mon, 13 Jan 2003 22:31:27 +1100 (EST)
From: Bruce Evans <bde@zeta.org.au>
X-X-Sender: bde@gamplex.bde.org
To: Pawel Jakub Dawidek <nick@garage.freebsd.pl>
Cc: Matthew Dillon <dillon@apollo.backplane.com>,
	<cvs-committers@FreeBSD.org>, <cvs-all@FreeBSD.org>
Subject: Re: cvs commit: src/sbin/ipfw ipfw.8 ipfw2.c
In-Reply-To: <20030113082610.GH9430@garage.freebsd.pl>
Message-ID: <20030113222917.C12128-100000@gamplex.bde.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
List-ID: <cvs-all.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20cvs-all>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20cvs-all>
X-Loop: FreeBSD.ORG

On Mon, 13 Jan 2003, Pawel Jakub Dawidek wrote:

> On Mon, Jan 13, 2003 at 12:19:54AM -0800, Matthew Dillon wrote:
> +>     You are looking at the old ipfw code.  Look at the sysctl's in
> +>     ip_fw2.c instead.  Either way it is not really relevant to my
> +>     commit, I didn't make any changes to the IPFW kernel code, only
> +>     to the userland program.
>
> Sorry. But IMHO in ip_fw2.c this sysctl works bad as well.
> CTLFLAG_SECURE prevent from changing sysctl when securelevel >= 0
> and this prevention should be only when >= 3.
>
> But sysctl definition in ip_fw.c is bad, right? If yes, maybe some PR
> should be sent?

This is noted in the log message:

% RCS file: /home/ncvs/src/sys/netinet/ip_fw2.c,v
% Working file: ip_fw2.c
% head: 1.22
% ...
% ----------------------------
% revision 1.11
% date: 2002/08/25 03:50:17;  author: cjc;  state: Exp;  lines: +6 -3
% Lock the sysctl(8) knobs that turn ip{,6}fw(8) firewalling and
% firewall logging on and off when at elevated securelevel(8). It would
% be nice to be able to only lock these at securelevel >= 3, like rules
% are, but there is no such functionality at present. I don't see reason
% to be adding features to securelevel(8) with MAC being merged into 5.0.
%
% PR:		kern/39396
% Reviewed by:	luigi
% MFC after:	1 week
% ----------------------------

Bruce


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message