From nobody Thu Jul  7 14:55:41 2022
X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 94C8E8D2897;
	Thu,  7 Jul 2022 14:55:41 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4Ldzx93p5dz47DV;
	Thu,  7 Jul 2022 14:55:41 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1657205741;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=bwfQc49vBbBW7Ax2jnzU8iLA59f07cgr2rUG+A3uYXk=;
	b=xvjfFRCZ3wCoolgqXUJxEIrlraBLoe9LCLGZBn4S0Hexs6+JNitAN+JWW8Ab27AjZPN73i
	tLBJzbuOJPl3/PDHWOo7ahBFs6nfNiKgtQF7ucsRSaTvFhJ7jLOol/t/Q1XyJyxRYjo+Sz
	9dqf4JO+MdfZvJNrAgAtun8f2doKCKbOAe/k6MYf7VunxmpwPP4h5p/pmdzdAaI2oTy58b
	23+4/5oCsdc2V+GiYWfQOsegzp+WfrN+bPFB9HzRC5L+XjRsW5DHurSj9w+n1SN+x/h/2g
	SxeJR8uJzbt3g+pC7cIwhdLHL3nrHbKN0EmY8erRKKYwPgUzMD1PDWnZ3iiCWw==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Ldzx92hGBzn0C;
	Thu,  7 Jul 2022 14:55:41 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 267Etfg9065507;
	Thu, 7 Jul 2022 14:55:41 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 267Etf6R065506;
	Thu, 7 Jul 2022 14:55:41 GMT
	(envelope-from git)
Date: Thu, 7 Jul 2022 14:55:41 GMT
Message-Id: <202207071455.267Etf6R065506@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Cy Schubert <cy@FreeBSD.org>
Subject: git: c47db49ba4aa - main - ipfilter: Support only jails in VNET
List-Id: Commit messages for the main branch of the src repository <dev-commits-src-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main
List-Help: <mailto:dev-commits-src-main+help@freebsd.org>
List-Post: <mailto:dev-commits-src-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-main+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-main@freebsd.org
X-BeenThere: dev-commits-src-main@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: cy
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: c47db49ba4aa7e74afe22591a62fbda95317932d
Auto-Submitted: auto-generated
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1657205741;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=bwfQc49vBbBW7Ax2jnzU8iLA59f07cgr2rUG+A3uYXk=;
	b=Q1tWyWyhvHjTW/xtvjIszcZVlzvoc+CnQ0CoklmlF0MGS4LNWjIVBAe37WOBcZwfZsskSd
	oZznOFUo3rNt31MhoIAslOvggV8LWNZwnTfHkuw5ucqujgRFCj52DJmofUJk6QAJI8CDCm
	lxOYZGB6Bx6gEcC0ZmgvG3TfwSI/eD7QchxNk0w5A766GUk2meFNzjjAeXuViL33HGQx/v
	JMzDd1werXnEyLoGIKY36l/BdALJL8YCwGOUMAZzY105og7UvgKeBWZxp0uO1jrp9u4OB8
	EunqmMOzrCM9PZxQ8GH/GpYf1xKdk5tYbYlA+Wk8silisY5PNK6a7o5QVCdMmA==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1657205741; a=rsa-sha256; cv=none;
	b=ESetRNyq1W8RhDM2S8ZMgNd7znq10AkBwjfFrt36BjAwjX+M9z9tvJQtWTqpBmIW5dsuGu
	VwSKrR/5eCHb/Oz2tbqTDVl5lBdtpDz5qhGndZPvvjvfZvOhtcVhchqqgS6s8fdD7nKqNp
	RI02jVkPFMvpV2rFwGvI2HoS+x68M83nutj9dQRhgEot+sN7JFa3SOqlIopDS5SQ/8W4na
	kZIiY5dN1EzaEX79Li/IvRbtVpYdFUz7uIk8G0ip9bUbeQNjld6hIQhGFjxYPLk2gqvwzv
	V74Sq1mGb+czU0Aazj3P8GzQQ/AdrXWi0wD0u10Bv6rKXMt4Mu7a3fB0e5uZDg==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
X-ThisMailContainsUnwantedMimeParts: N

The branch main has been updated by cy:

URL: https://cgit.FreeBSD.org/src/commit/?id=c47db49ba4aa7e74afe22591a62fbda95317932d

commit c47db49ba4aa7e74afe22591a62fbda95317932d
Author:     Cy Schubert <cy@FreeBSD.org>
AuthorDate: 2022-03-17 18:05:05 +0000
Commit:     Cy Schubert <cy@FreeBSD.org>
CommitDate: 2022-07-07 14:53:45 +0000

    ipfilter: Support only jails in VNET
    
    Jails without VNET have complete access to the ipfilter rules, NAT,
    pools and logs. This is insecure. Only allow jails to manipulate
    ipfilter rules, NAT tables and ippools if the jail has its own VNET.
    Otherwise a jail can affect the global system.
    
    This patch brings ipfilter in line with ipfw's support of VNET jails and
    non-support of non-VNET jails.
    
    MFC after:      1 week
---
 sbin/ipf/libipf/interror.c                    |  4 +++-
 sys/netpfil/ipfilter/netinet/ip_fil_freebsd.c |  7 +++++++
 sys/netpfil/ipfilter/netinet/ip_nat.c         |  9 +++++++++
 sys/netpfil/ipfilter/netinet/mlfk_ipl.c       | 12 ++++++++++++
 4 files changed, 31 insertions(+), 1 deletion(-)

diff --git a/sbin/ipf/libipf/interror.c b/sbin/ipf/libipf/interror.c
index ca97254cb382..994fb9d2b320 100644
--- a/sbin/ipf/libipf/interror.c
+++ b/sbin/ipf/libipf/interror.c
@@ -17,7 +17,7 @@ typedef	struct	{
 
 static ipf_error_entry_t *find_error(int);
 
-#define	IPF_NUM_ERRORS	475
+#define	IPF_NUM_ERRORS	477
 
 /*
  * NO REUSE OF NUMBERS!
@@ -355,6 +355,7 @@ log" },
 	{	60073,	"unknown lookup group for next address (ipv6)" },
 	{	60074,	"unknown next address type (ipv6)" },
 	{	60075,	"one object at a time must be copied" },
+	{	60076,	"NAT ioctl denied in jail without VNET" },
 /* -------------------------------------------------------------------------- */
 	{	70001,	"incorrect object size to get pool stats" },
 	{	70002,	"could not malloc memory for new pool node" },
@@ -516,6 +517,7 @@ log" },
 	{	130015,	"ipf_init_all failed" },
 	{	130016,	"finding pfil head failed" },
 	{	130017,	"ipfilter is already initialised and running" },
+	{	130018,	"ioctl denied in jail without VNET" },
 };
 
 
diff --git a/sys/netpfil/ipfilter/netinet/ip_fil_freebsd.c b/sys/netpfil/ipfilter/netinet/ip_fil_freebsd.c
index 10ad77c61534..212e6e2af6a7 100644
--- a/sys/netpfil/ipfilter/netinet/ip_fil_freebsd.c
+++ b/sys/netpfil/ipfilter/netinet/ip_fil_freebsd.c
@@ -47,6 +47,7 @@ static const char rcsid[] = "@(#)$Id$";
 #include <net/route/nhop.h>
 #include <netinet/in.h>
 #include <netinet/in_fib.h>
+#include <netinet/in_pcb.h>
 #include <netinet/in_var.h>
 #include <netinet/in_systm.h>
 #include <netinet/ip.h>
@@ -281,6 +282,12 @@ ipfioctl(struct cdev *dev, ioctlcmd_t cmd, caddr_t data,
 		return (EPERM);
 	}
 
+	if (jailed_without_vnet(p->p_cred)) {
+		V_ipfmain.ipf_interror = 130018;
+		CURVNET_RESTORE();
+		return (EOPNOTSUPP);
+	}
+
 	unit = GET_MINOR(dev);
 	if ((IPL_LOGMAX < unit) || (unit < 0)) {
 		V_ipfmain.ipf_interror = 130002;
diff --git a/sys/netpfil/ipfilter/netinet/ip_nat.c b/sys/netpfil/ipfilter/netinet/ip_nat.c
index 47a4802fa441..0bdf7396213f 100644
--- a/sys/netpfil/ipfilter/netinet/ip_nat.c
+++ b/sys/netpfil/ipfilter/netinet/ip_nat.c
@@ -42,6 +42,9 @@ struct file;
 #include <sys/socket.h>
 #if defined(_KERNEL)
 # include <sys/systm.h>
+# if defined(__FreeBSD__)
+#  include <sys/jail.h>
+# endif
 # if !defined(__SVR4)
 #  include <sys/mbuf.h>
 # endif
@@ -999,6 +1002,12 @@ ipf_nat_ioctl(ipf_main_softc_t *softc, caddr_t data, ioctlcmd_t cmd,
 		IPFERROR(60001);
 		return (EPERM);
 	}
+# if defined(__FreeBSD__)
+	if (jailed_without_vnet(curthread->td_ucred)) {
+		IPFERROR(60076);
+		return (EOPNOTSUPP);
+	}
+# endif
 #endif
 
 	getlock = (mode & NAT_LOCKHELD) ? 0 : 1;
diff --git a/sys/netpfil/ipfilter/netinet/mlfk_ipl.c b/sys/netpfil/ipfilter/netinet/mlfk_ipl.c
index 872471bac38b..091d2c7d2061 100644
--- a/sys/netpfil/ipfilter/netinet/mlfk_ipl.c
+++ b/sys/netpfil/ipfilter/netinet/mlfk_ipl.c
@@ -377,6 +377,9 @@ sysctl_error:
 static int
 sysctl_ipf_int_nat ( SYSCTL_HANDLER_ARGS )
 {
+	if (jailed_without_vnet(curthread->td_ucred))
+		return (0);
+
 	ipf_nat_softc_t *nat_softc;
 
 	nat_softc = V_ipfmain.ipf_nat_soft;
@@ -388,6 +391,9 @@ sysctl_ipf_int_nat ( SYSCTL_HANDLER_ARGS )
 static int
 sysctl_ipf_int_state ( SYSCTL_HANDLER_ARGS )
 {
+	if (jailed_without_vnet(curthread->td_ucred))
+		return (0);
+
 	ipf_state_softc_t *state_softc;
 
 	state_softc = V_ipfmain.ipf_state_soft;
@@ -399,6 +405,9 @@ sysctl_ipf_int_state ( SYSCTL_HANDLER_ARGS )
 static int
 sysctl_ipf_int_auth ( SYSCTL_HANDLER_ARGS )
 {
+	if (jailed_without_vnet(curthread->td_ucred))
+		return (0);
+
 	ipf_auth_softc_t *auth_softc;
 
 	auth_softc = V_ipfmain.ipf_auth_soft;
@@ -410,6 +419,9 @@ sysctl_ipf_int_auth ( SYSCTL_HANDLER_ARGS )
 static int
 sysctl_ipf_int_frag ( SYSCTL_HANDLER_ARGS )
 {
+	if (jailed_without_vnet(curthread->td_ucred))
+		return (0);
+
 	ipf_frag_softc_t *frag_softc;
 
 	frag_softc = V_ipfmain.ipf_frag_soft;