From owner-freebsd-bugs@FreeBSD.ORG Thu Oct 2 08:52:31 2003 Return-Path: Delivered-To: freebsd-bugs@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C467B16A4B3; Thu, 2 Oct 2003 08:52:31 -0700 (PDT) Received: from mailman.zeta.org.au (mailman.zeta.org.au [203.26.10.16]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2E7D843FA3; Thu, 2 Oct 2003 08:52:29 -0700 (PDT) (envelope-from bde@zeta.org.au) Received: from gamplex.bde.org (katana.zip.com.au [61.8.7.246]) by mailman.zeta.org.au (8.9.3p2/8.8.7) with ESMTP id BAA21873; Fri, 3 Oct 2003 01:52:26 +1000 Date: Fri, 3 Oct 2003 01:51:04 +1000 (EST) From: Bruce Evans X-X-Sender: bde@gamplex.bde.org To: Ruslan Ermilov In-Reply-To: <200310021210.h92CAFjS054739@freefall.freebsd.org> Message-ID: <20031003011309.L10613@gamplex.bde.org> References: <200310021210.h92CAFjS054739@freefall.freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-bugs@freebsd.org Subject: Re: kern/57492: Firewall can be disabled in securelevel 3 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Oct 2003 15:52:31 -0000 > My apologies, I forgot that I have this problem fixed locally, > but it's not in the FreeBSD repository. I will re-open the > bug. The patch, FWIW, is as follows: This has some style bugs: > %%% > Index: ip_fw.c > =================================================================== > RCS file: /home/ncvs/src/sys/netinet/Attic/ip_fw.c,v > retrieving revision 1.131.2.39 > diff -u -p -r1.131.2.39 ip_fw.c > --- ip_fw.c 20 Jan 2003 02:23:07 -0000 1.131.2.39 > +++ ip_fw.c 2 Oct 2003 12:07:35 -0000 > @@ -94,11 +94,21 @@ LIST_HEAD (ip_fw_head, ip_fw) ip_fw_chai > MALLOC_DEFINE(M_IPFW, "IpFw/IpAcct", "IpFw/IpAcct chain's"); > > #ifdef SYSCTL_NODE > + > +static int > +sysctl_fw_securelevel_check(SYSCTL_HANDLER_ARGS) Function in the middle of declarations. > +{ > + > + if (req->newptr && securelevel >= 3) > + return (EPERM); > + return sysctl_handle_int(oidp, arg1, arg2, req); Missing parentheses around return value. > +} > + > SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall"); > -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW, > - &fw_enable, 0, "Enable ipfw"); > -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO,one_pass,CTLFLAG_RW, > - &fw_one_pass, 0, > +SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, enable, CTLTYPE_INT|CTLFLAG_RW, > + &fw_enable, 0, sysctl_fw_securelevel_check, "I", "Enable ipfw"); Missing spaces around binary operator `|'. > +SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, one_pass, CTLTYPE_INT|CTLFLAG_RW, > + &fw_one_pass, 0, sysctl_fw_securelevel_check, "I", Many more of these. > @@ -173,30 +183,40 @@ static u_int32_t static_count = 0 ; /* # > ... > +SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, curr_dyn_buckets, CTLTYPE_INT|CTLFLAG_RD, > + &curr_dyn_buckets, 0, sysctl_fw_securelevel_check, "IU", > + "Current Number of dyn. buckets"); Also this and others with too-long lines. Bruce