Date: Thu, 24 May 2001 06:56:10 -0700 (PDT) From: andria@tovaris.com To: freebsd-gnats-submit@FreeBSD.org Subject: kern/27615: ipf restricts rule-changing at securelevel 2 Message-ID: <200105241356.f4ODuAp66088@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 27615 >Category: kern >Synopsis: ipf restricts rule-changing at securelevel 2 >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu May 24 07:00:01 PDT 2001 >Closed-Date: >Last-Modified: >Originator: Andria Thomas >Release: 4.3-STABLE >Organization: Tovaris >Environment: FreeBSD fw.intranet 4.3-STABLE FreeBSD 4.3-STABLE #1: Wed May 23 09:45:59 EDT 2001 root@fw.intranet:/data/obj/data/src/sys/FW i386 >Description: According to the 'init' manpage, running at securelevel 2 should still allow the flushing/changing of ipf/ipnat rules. This is true for ipfw, but is not true for ipf. >How-To-Repeat: Run a firewall at securelevel 2 and try to flush/change your ipf or ipnat rules. >Fix: There are only two references to securelevel in the ip-filter code. They should be changed from 'securelevel >= 2' to 'securelevel >=3'. *** ip_fil.c Wed May 23 09:39:37 2001 --- ip_fil.c.orig Wed May 23 09:39:12 2001 *************** *** 461,465 **** #if (BSD >= 199306) && defined(_KERNEL) ! if ((securelevel >= 3) && (mode & FWRITE)) return EPERM; #endif --- 461,465 ---- #if (BSD >= 199306) && defined(_KERNEL) ! if ((securelevel >= 2) && (mode & FWRITE)) return EPERM; #endif ----------------------------------------------------------- *** ip_nat.c Wed May 23 09:39:50 2001 --- ip_nat.c.orig Wed May 23 09:39:19 2001 *************** *** 428,432 **** #if (BSD >= 199306) && defined(_KERNEL) ! if ((securelevel >= 3) && (mode & FWRITE)) return EPERM; #endif --- 428,432 ---- #if (BSD >= 199306) && defined(_KERNEL) ! if ((securelevel >= 2) && (mode & FWRITE)) return EPERM; #endif >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200105241356.f4ODuAp66088>