Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 13 Jan 2003 10:59:02 -0800 (PST)
From:      Matthew Dillon <dillon@apollo.backplane.com>
To:        Pawel Jakub Dawidek <nick@garage.freebsd.pl>
Cc:        Bruce Evans <bde@zeta.org.au>, cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG, luigi@FreeBSD.ORG
Subject:   Re: cvs commit: src/sbin/ipfw ipfw.8 ipfw2.c
Message-ID:  <200301131859.h0DIx2pa004540@apollo.backplane.com>
References:  <20030113082610.GH9430@garage.freebsd.pl> <20030113222917.C12128-100000@gamplex.bde.org> <20030113140700.GP9430@garage.freebsd.pl>

next in thread | previous in thread | raw e-mail | index | archive | help
    This seems like overkill to me.  Why not simply implement 
    CTLFLAG_SECURE3 ?  Also, the comment that Bruce quoted seems to
    imply that MAC will eventually take over this functionality.  I
    suppose we could have a bandaid until then but if so I would
    far prefer a CTLFLAG_SECURE3 bandaid then changing ip_fw_enable
    into a SYSCTL_PROC.

					-Matt

:Ok, could someone commit this?
:
:--- ip_fw2.c.orig	Fri Dec 27 18:43:25 2002
:+++ ip_fw2.c	Mon Jan 13 15:02:54 2003
:@@ -111,9 +111,32 @@
:=20
: #ifdef SYSCTL_NODE
: SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall");
:-SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable,
:-    CTLFLAG_RW | CTLFLAG_SECURE,
:-    &fw_enable, 0, "Enable ipfw");
:+
:+static int
:+sysctl_net_inet_ip_fw_enable(SYSCTL_HANDLER_ARGS)
:+{
:+	int error, enable;
:+
:+	enable =3D fw_enable;
:+	error =3D sysctl_handle_int(oidp, &enable, 0, req);
:+	if (error !=3D 0 || req->newptr =3D=3D NULL || enable =3D=3D fw_enable)
:+		return (error);
:+
:+#if __FreeBSD_version >=3D 500034
:+	error =3D securelevel_ge(req->td->td_ucred, 3);
:+	if (error !=3D 0)
:+		return (error);
:+#else
:+	if (securelevel >=3D 3)
:+		return (EPERM);
:+#endif
:+	fw_enable =3D enable;
:+
:+	return(0);
:+}
:+SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, enable, CTLTYPE_INT | CTLFLAG_RW, 0=
:, 0,
:+    sysctl_net_inet_ip_fw_enable, "I", "Enable ipfw");
:+
: SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, autoinc_step, CTLFLAG_RW,
:     &autoinc_step, 0, "Rule number autincrement step");
: SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, one_pass,
:
:--=20
:Pawel Jakub Dawidek
:UNIX Systems Administrator

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200301131859.h0DIx2pa004540>