D53623.id167717.diff
No OneTemporary
Actions

Size

2 KB

Referenced Files

None

Subscribers

None

D53623.id167717.diff
View Options

	diff --git a/sbin/ipf/libipf/interror.c b/sbin/ipf/libipf/interror.c
	--- a/sbin/ipf/libipf/interror.c
	+++ b/sbin/ipf/libipf/interror.c
	@@ -531,6 +531,7 @@
	{ 130016, "finding pfil head failed" },
	{ 130017, "ipfilter is already initialised and running" },
	{ 130018, "ioctl denied in jail without VNET" },
	+ { 130019, "ioctl denied in jail" },
	};


	diff --git a/sys/netpfil/ipfilter/netinet/fil.c b/sys/netpfil/ipfilter/netinet/fil.c
	--- a/sys/netpfil/ipfilter/netinet/fil.c
	+++ b/sys/netpfil/ipfilter/netinet/fil.c
	@@ -9096,6 +9096,7 @@
	softc->ipf_icmpminfragmtu = 68;
	softc->ipf_max_namelen = 128;
	softc->ipf_flags = IPF_LOGGING;
	+ softc->ipf_jail_allowed = 0;

	#ifdef LARGE_NAT
	softc->ipf_large_nat = 1;
	diff --git a/sys/netpfil/ipfilter/netinet/ip_fil.h b/sys/netpfil/ipfilter/netinet/ip_fil.h
	--- a/sys/netpfil/ipfilter/netinet/ip_fil.h
	+++ b/sys/netpfil/ipfilter/netinet/ip_fil.h
	@@ -1550,6 +1550,7 @@
	u_int ipf_icmpacktimeout;
	u_int ipf_iptimeout;
	u_int ipf_large_nat;
	+ u_int ipf_jail_allowed;
	u_long ipf_ticks;
	u_long ipf_userifqs;
	u_long ipf_rb_no_mem;
	diff --git a/sys/netpfil/ipfilter/netinet/ip_fil_freebsd.c b/sys/netpfil/ipfilter/netinet/ip_fil_freebsd.c
	--- a/sys/netpfil/ipfilter/netinet/ip_fil_freebsd.c
	+++ b/sys/netpfil/ipfilter/netinet/ip_fil_freebsd.c
	@@ -88,6 +88,7 @@
	.ipf_running = -2,
	};
	#define V_ipfmain VNET(ipfmain)
	+#define V0_ipfmain VNET_VNET(vnet0,ipfmain)

	#include <sys/conf.h>
	#include <net/pfil.h>
	@@ -254,6 +255,20 @@
	return (EPERM);
	}

	+ /*
	+ * Remember, the host system (with its vnet0) controls
	+ * whether a jail is allowed to use ipfilter or not.
	+ * The default is ipfilter cannot be used by a jail
	+ * unless the sysctl allows it.
	+ */
	+ if (V0_ipfmain.ipf_jail_allowed == 0) {
	+ if (jailed(p->p_cred)) {
	+ V_ipfmain.ipf_interror = 130019;
	+ CURVNET_RESTORE();
	+ return (EOPNOTSUPP);
	+ }
	+ }
	+
	if (jailed_without_vnet(p->p_cred)) {
	V_ipfmain.ipf_interror = 130018;
	CURVNET_RESTORE();
	diff --git a/sys/netpfil/ipfilter/netinet/mlfk_ipl.c b/sys/netpfil/ipfilter/netinet/mlfk_ipl.c
	--- a/sys/netpfil/ipfilter/netinet/mlfk_ipl.c
	+++ b/sys/netpfil/ipfilter/netinet/mlfk_ipl.c
	@@ -136,6 +136,7 @@
	SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_minttl, CTLFLAG_RW, &VNET_NAME(ipfmain.ipf_minttl), 0, "");
	SYSCTL_IPF(_net_inet_ipf, OID_AUTO, large_nat, CTLFLAG_RDTUN \| CTLFLAG_NOFETCH, &VNET_NAME(ipfmain.ipf_large_nat), 0, "large_nat");
	SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_max_namelen, CTLFLAG_RWTUN, &VNET_NAME(ipfmain.ipf_max_namelen), 0, "max_namelen");
	+SYSCTL_IPF(_net_inet_ipf, OID_AUTO, jail_allowed, CTLFLAG_RWTUN, &VNET_NAME(ipfmain.ipf_jail_allowed), 0, "jail_allowed");

	#define CDEV_MAJOR 79
	#include <sys/poll.h>

File Metadata

Mime Type: text/plain
Expires: Sun, Apr 12, 5:55 PM (45 m, 50 s)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 31362136
Default Alt Text: D53623.id167717.diff (2 KB)

D53623.id167717.diffNo OneTemporaryActions

D53623.id167717.diffView Options

File Metadata

Event Timeline

D53623.id167717.diff
No OneTemporary
Actions

D53623.id167717.diff
View Options