Page MenuHomeFreeBSD
Differential D29659 Diff 87450 sys/netinet6/in6_jail.c

Changeset View

Standalone View

View Options

sys/netinet6/in6_jail.c

Show First 20 LinesShow All 78 Lines▼ Show 20 Lines for (i = 0; rc == 0 && i < sizeof(struct in6_addr); i++) {
if (ia6a->s6_addr[i] > ia6b->s6_addr[i]) if (ia6a->s6_addr[i] > ia6b->s6_addr[i])
rc = 1; rc = 1;
else if (ia6a->s6_addr[i] < ia6b->s6_addr[i]) else if (ia6a->s6_addr[i] < ia6b->s6_addr[i])
rc = -1; rc = -1;
} }
return (rc); return (rc);
} }
int /*
* Restrict a prison's IP address list with its parent's, possibly replacing
* it. Return true if the replacement buffer was used (or would have been).
*/
bool
prison_restrict_ip6(struct prison *pr, struct in6_addr *newip6) prison_restrict_ip6(struct prison *pr, struct in6_addr *newip6)
{ {
int ii, ij, used; int ii, ij;
bool used;
struct prison *ppr; struct prison *ppr;
ppr = pr->pr_parent; ppr = pr->pr_parent;
if (!(pr->pr_flags & PR_IP6_USER)) { if (!(pr->pr_flags & PR_IP6_USER)) {
/* This has no user settings, so just copy the parent's list. */ /* This has no user settings, so just copy the parent's list. */
if (pr->pr_ip6s < ppr->pr_ip6s) { if (pr->pr_ip6s < ppr->pr_ip6s) {
/* /*
* There's no room for the parent's list. Use the * There's no room for the parent's list. Use the
* new list buffer, which is assumed to be big enough * new list buffer, which is assumed to be big enough
* (if it was passed). If there's no buffer, try to * (if it was passed). If there's no buffer, try to
* allocate one. * allocate one.
*/ */
used = 1; used = true;
if (newip6 == NULL) { if (newip6 == NULL) {
newip6 = malloc(ppr->pr_ip6s * sizeof(*newip6), newip6 = malloc(ppr->pr_ip6s * sizeof(*newip6),
M_PRISON, M_NOWAIT); M_PRISON, M_NOWAIT);
if (newip6 != NULL) if (newip6 != NULL)
used = 0; used = false;
} }
if (newip6 != NULL) { if (newip6 != NULL) {
bcopy(ppr->pr_ip6, newip6, bcopy(ppr->pr_ip6, newip6,
ppr->pr_ip6s * sizeof(*newip6)); ppr->pr_ip6s * sizeof(*newip6));
free(pr->pr_ip6, M_PRISON); free(pr->pr_ip6, M_PRISON);
pr->pr_ip6 = newip6; pr->pr_ip6 = newip6;
pr->pr_ip6s = ppr->pr_ip6s; pr->pr_ip6s = ppr->pr_ip6s;
} }
▲ Show 20 LinesShow All 41 Lines▼ Show 20 Lines for (ij = 1; ii < pr->pr_ip6s; ) {
break; break;
} }
} }
if (pr->pr_ip6s == 0) { if (pr->pr_ip6s == 0) {
free(pr->pr_ip6, M_PRISON); free(pr->pr_ip6, M_PRISON);
pr->pr_ip6 = NULL; pr->pr_ip6 = NULL;
} }
} }
return 0; return (false);
} }
/* /*
* Pass back primary IPv6 address for this jail. * Pass back primary IPv6 address for this jail.
* *
* If not restricted return success but do not alter the address. Caller has * If not restricted return success but do not alter the address. Caller has
* to make sure to initialize it correctly (e.g. IN6ADDR_ANY_INIT). * to make sure to initialize it correctly (e.g. IN6ADDR_ANY_INIT).
* *
Show All 21 Linesprison_get_ip6(struct ucred *cred, struct in6_addr *ia6)
} }
bcopy(&pr->pr_ip6[0], ia6, sizeof(struct in6_addr)); bcopy(&pr->pr_ip6[0], ia6, sizeof(struct in6_addr));
mtx_unlock(&pr->pr_mtx); mtx_unlock(&pr->pr_mtx);
return (0); return (0);
} }
/* /*
* Return 1 if we should do proper source address selection or are not jailed. * Return true if we should do proper source address selection or are not jailed.
* We will return 0 if we should bypass source address selection in favour * We will return false if we should bypass source address selection in favour
* of the primary jail IPv6 address. Only in this case *ia will be updated and * of the primary jail IPv6 address. Only in this case *ia will be updated and
* returned in NBO. * returned in NBO.
* Return EAFNOSUPPORT, in case this jail does not allow IPv6. * Return true, even in case this jail does not allow IPv6.
*/ */
int bool
prison_saddrsel_ip6(struct ucred *cred, struct in6_addr *ia6) prison_saddrsel_ip6(struct ucred *cred, struct in6_addr *ia6)
{ {
struct prison *pr; struct prison *pr;
struct in6_addr lia6; struct in6_addr lia6;
int error;
KASSERT(cred != NULL, ("%s: cred is NULL", __func__)); KASSERT(cred != NULL, ("%s: cred is NULL", __func__));
KASSERT(ia6 != NULL, ("%s: ia6 is NULL", __func__)); KASSERT(ia6 != NULL, ("%s: ia6 is NULL", __func__));
if (!jailed(cred)) if (!jailed(cred))
return (1); return (true);
pr = cred->cr_prison; pr = cred->cr_prison;
if (pr->pr_flags & PR_IP6_SADDRSEL) if (pr->pr_flags & PR_IP6_SADDRSEL)
return (1); return (true);
lia6 = in6addr_any; lia6 = in6addr_any;
error = prison_get_ip6(cred, &lia6); if (prison_get_ip6(cred, &lia6) != 0)
if (error) return (true);
return (error);
if (IN6_IS_ADDR_UNSPECIFIED(&lia6)) if (IN6_IS_ADDR_UNSPECIFIED(&lia6))
return (1); return (true);
bcopy(&lia6, ia6, sizeof(struct in6_addr)); bcopy(&lia6, ia6, sizeof(struct in6_addr));
return (0); return (false);
} }
/* /*
* Return true if pr1 and pr2 have the same IPv6 address restrictions. * Return true if pr1 and pr2 have the same IPv6 address restrictions.
*/ */
int bool
prison_equal_ip6(struct prison *pr1, struct prison *pr2) prison_equal_ip6(struct prison *pr1, struct prison *pr2)
{ {
if (pr1 == pr2) if (pr1 == pr2)
return (1); return (true);
while (pr1 != &prison0 && while (pr1 != &prison0 &&
#ifdef VIMAGE #ifdef VIMAGE
!(pr1->pr_flags & PR_VNET) && !(pr1->pr_flags & PR_VNET) &&
#endif #endif
!(pr1->pr_flags & PR_IP6_USER)) !(pr1->pr_flags & PR_IP6_USER))
pr1 = pr1->pr_parent; pr1 = pr1->pr_parent;
while (pr2 != &prison0 && while (pr2 != &prison0 &&
▲ Show 20 LinesShow All 163 LinesShow Last 20 Lines