From owner-freebsd-bugs Thu May 24 7: 0: 9 2001 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 310C537B43C for ; Thu, 24 May 2001 07:00:02 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f4OE02579049; Thu, 24 May 2001 07:00:02 -0700 (PDT) (envelope-from gnats) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id B29DB37B422 for ; Thu, 24 May 2001 06:56:10 -0700 (PDT) (envelope-from nobody@FreeBSD.org) Received: (from nobody@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f4ODuAp66088; Thu, 24 May 2001 06:56:10 -0700 (PDT) (envelope-from nobody) Message-Id: <200105241356.f4ODuAp66088@freefall.freebsd.org> Date: Thu, 24 May 2001 06:56:10 -0700 (PDT) From: andria@tovaris.com To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-1.0 Subject: kern/27615: ipf restricts rule-changing at securelevel 2 Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 27615 >Category: kern >Synopsis: ipf restricts rule-changing at securelevel 2 >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu May 24 07:00:01 PDT 2001 >Closed-Date: >Last-Modified: >Originator: Andria Thomas >Release: 4.3-STABLE >Organization: Tovaris >Environment: FreeBSD fw.intranet 4.3-STABLE FreeBSD 4.3-STABLE #1: Wed May 23 09:45:59 EDT 2001 root@fw.intranet:/data/obj/data/src/sys/FW i386 >Description: According to the 'init' manpage, running at securelevel 2 should still allow the flushing/changing of ipf/ipnat rules. This is true for ipfw, but is not true for ipf. >How-To-Repeat: Run a firewall at securelevel 2 and try to flush/change your ipf or ipnat rules. >Fix: There are only two references to securelevel in the ip-filter code. They should be changed from 'securelevel >= 2' to 'securelevel >=3'. *** ip_fil.c Wed May 23 09:39:37 2001 --- ip_fil.c.orig Wed May 23 09:39:12 2001 *************** *** 461,465 **** #if (BSD >= 199306) && defined(_KERNEL) ! if ((securelevel >= 3) && (mode & FWRITE)) return EPERM; #endif --- 461,465 ---- #if (BSD >= 199306) && defined(_KERNEL) ! if ((securelevel >= 2) && (mode & FWRITE)) return EPERM; #endif ----------------------------------------------------------- *** ip_nat.c Wed May 23 09:39:50 2001 --- ip_nat.c.orig Wed May 23 09:39:19 2001 *************** *** 428,432 **** #if (BSD >= 199306) && defined(_KERNEL) ! if ((securelevel >= 3) && (mode & FWRITE)) return EPERM; #endif --- 428,432 ---- #if (BSD >= 199306) && defined(_KERNEL) ! if ((securelevel >= 2) && (mode & FWRITE)) return EPERM; #endif >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message