From owner-cvs-all  Mon Jan 13 10:59: 6 2003
Delivered-To: cvs-all@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 8EB9A37B401; Mon, 13 Jan 2003 10:59:04 -0800 (PST)
Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 2BD6443F1E; Mon, 13 Jan 2003 10:59:04 -0800 (PST)
	(envelope-from dillon@apollo.backplane.com)
Received: from apollo.backplane.com (localhost [127.0.0.1])
	by apollo.backplane.com (8.12.6/8.12.6) with ESMTP id h0DIx3Yp004541;
	Mon, 13 Jan 2003 10:59:03 -0800 (PST)
	(envelope-from dillon@apollo.backplane.com)
Received: (from dillon@localhost)
	by apollo.backplane.com (8.12.6/8.12.6/Submit) id h0DIx2pa004540;
	Mon, 13 Jan 2003 10:59:02 -0800 (PST)
Date: Mon, 13 Jan 2003 10:59:02 -0800 (PST)
From: Matthew Dillon <dillon@apollo.backplane.com>
Message-Id: <200301131859.h0DIx2pa004540@apollo.backplane.com>
To: Pawel Jakub Dawidek <nick@garage.freebsd.pl>
Cc: Bruce Evans <bde@zeta.org.au>, cvs-committers@FreeBSD.ORG,
	cvs-all@FreeBSD.ORG, luigi@FreeBSD.ORG
Subject: Re: cvs commit: src/sbin/ipfw ipfw.8 ipfw2.c
References: <20030113082610.GH9430@garage.freebsd.pl> <20030113222917.C12128-100000@gamplex.bde.org> <20030113140700.GP9430@garage.freebsd.pl>
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
List-ID: <cvs-all.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20cvs-all>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20cvs-all>
X-Loop: FreeBSD.ORG

    This seems like overkill to me.  Why not simply implement 
    CTLFLAG_SECURE3 ?  Also, the comment that Bruce quoted seems to
    imply that MAC will eventually take over this functionality.  I
    suppose we could have a bandaid until then but if so I would
    far prefer a CTLFLAG_SECURE3 bandaid then changing ip_fw_enable
    into a SYSCTL_PROC.

					-Matt

:Ok, could someone commit this?
:
:--- ip_fw2.c.orig	Fri Dec 27 18:43:25 2002
:+++ ip_fw2.c	Mon Jan 13 15:02:54 2003
:@@ -111,9 +111,32 @@
:=20
: #ifdef SYSCTL_NODE
: SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall");
:-SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable,
:-    CTLFLAG_RW | CTLFLAG_SECURE,
:-    &fw_enable, 0, "Enable ipfw");
:+
:+static int
:+sysctl_net_inet_ip_fw_enable(SYSCTL_HANDLER_ARGS)
:+{
:+	int error, enable;
:+
:+	enable =3D fw_enable;
:+	error =3D sysctl_handle_int(oidp, &enable, 0, req);
:+	if (error !=3D 0 || req->newptr =3D=3D NULL || enable =3D=3D fw_enable)
:+		return (error);
:+
:+#if __FreeBSD_version >=3D 500034
:+	error =3D securelevel_ge(req->td->td_ucred, 3);
:+	if (error !=3D 0)
:+		return (error);
:+#else
:+	if (securelevel >=3D 3)
:+		return (EPERM);
:+#endif
:+	fw_enable =3D enable;
:+
:+	return(0);
:+}
:+SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, enable, CTLTYPE_INT | CTLFLAG_RW, 0=
:, 0,
:+    sysctl_net_inet_ip_fw_enable, "I", "Enable ipfw");
:+
: SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, autoinc_step, CTLFLAG_RW,
:     &autoinc_step, 0, "Rule number autincrement step");
: SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, one_pass,
:
:--=20
:Pawel Jakub Dawidek
:UNIX Systems Administrator

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message