From owner-freebsd-bugs@FreeBSD.ORG  Thu Oct  2 08:52:31 2003
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id C467B16A4B3; Thu,  2 Oct 2003 08:52:31 -0700 (PDT)
Received: from mailman.zeta.org.au (mailman.zeta.org.au [203.26.10.16])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 2E7D843FA3; Thu,  2 Oct 2003 08:52:29 -0700 (PDT)
	(envelope-from bde@zeta.org.au)
Received: from gamplex.bde.org (katana.zip.com.au [61.8.7.246])
	by mailman.zeta.org.au (8.9.3p2/8.8.7) with ESMTP id BAA21873;
	Fri, 3 Oct 2003 01:52:26 +1000
Date: Fri, 3 Oct 2003 01:51:04 +1000 (EST)
From: Bruce Evans <bde@zeta.org.au>
X-X-Sender: bde@gamplex.bde.org
To: Ruslan Ermilov <ru@freebsd.org>
In-Reply-To: <200310021210.h92CAFjS054739@freefall.freebsd.org>
Message-ID: <20031003011309.L10613@gamplex.bde.org>
References: <200310021210.h92CAFjS054739@freefall.freebsd.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: freebsd-bugs@freebsd.org
Subject: Re: kern/57492: Firewall can be disabled in securelevel 3
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Oct 2003 15:52:31 -0000

>  My apologies, I forgot that I have this problem fixed locally,
>  but it's not in the FreeBSD repository.  I will re-open the
>  bug.  The patch, FWIW, is as follows:

This has some style bugs:

>  %%%
>  Index: ip_fw.c
>  ===================================================================
>  RCS file: /home/ncvs/src/sys/netinet/Attic/ip_fw.c,v
>  retrieving revision 1.131.2.39
>  diff -u -p -r1.131.2.39 ip_fw.c
>  --- ip_fw.c	20 Jan 2003 02:23:07 -0000	1.131.2.39
>  +++ ip_fw.c	2 Oct 2003 12:07:35 -0000
>  @@ -94,11 +94,21 @@ LIST_HEAD (ip_fw_head, ip_fw) ip_fw_chai
>   MALLOC_DEFINE(M_IPFW, "IpFw/IpAcct", "IpFw/IpAcct chain's");
>
>   #ifdef SYSCTL_NODE
>  +
>  +static int
>  +sysctl_fw_securelevel_check(SYSCTL_HANDLER_ARGS)

Function in the middle of declarations.

>  +{
>  +
>  +	if (req->newptr && securelevel >= 3)
>  +		return (EPERM);
>  +	return sysctl_handle_int(oidp, arg1, arg2, req);

Missing parentheses around return value.

>  +}
>  +
>   SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall");
>  -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW,
>  -    &fw_enable, 0, "Enable ipfw");
>  -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO,one_pass,CTLFLAG_RW,
>  -    &fw_one_pass, 0,
>  +SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, enable, CTLTYPE_INT|CTLFLAG_RW,
>  +    &fw_enable, 0, sysctl_fw_securelevel_check, "I", "Enable ipfw");

Missing spaces around binary operator `|'.

>  +SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, one_pass, CTLTYPE_INT|CTLFLAG_RW,
>  +    &fw_one_pass, 0, sysctl_fw_securelevel_check, "I",

Many more of these.

>  @@ -173,30 +183,40 @@ static u_int32_t static_count = 0 ;	/* #
> ...
>  +SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, curr_dyn_buckets, CTLTYPE_INT|CTLFLAG_RD,
>  +    &curr_dyn_buckets, 0, sysctl_fw_securelevel_check, "IU",
>  +    "Current Number of dyn. buckets");

Also this and others with too-long lines.

Bruce