diff options
| author | csjp <csjp@FreeBSD.org> | 2004-08-12 22:06:55 +0000 |
|---|---|---|
| committer | csjp <csjp@FreeBSD.org> | 2004-08-12 22:06:55 +0000 |
| commit | 6661aed38d315a94d79f9f5311239dbfeceb4083 (patch) | |
| tree | 8b1ead136b954572913352304170c0ae98120eea /sbin/ipfw/ipfw2.c | |
| parent | 00b723c98e12d2b81faf26ac4151bc1a09058f7c (diff) | |
| download | FreeBSD-src-6661aed38d315a94d79f9f5311239dbfeceb4083.zip FreeBSD-src-6661aed38d315a94d79f9f5311239dbfeceb4083.tar.gz | |
Add the ability to associate ipfw rules with a specific prison ID.
Since the only thing truly unique about a prison is it's ID, I figured
this would be the most granular way of handling this.
This commit makes the following changes:
- Adds tokenizing and parsing for the ``jail'' command line option
to the ipfw(8) userspace utility.
- Append the ipfw opcode list with O_JAIL.
- While Iam here, add a comment informing others that if they
want to add additional opcodes, they should append them to the end
of the list to avoid ABI breakage.
- Add ``fw_prid'' to the ipfw ucred cache structure.
- When initializing ucred cache, if the process is jailed,
set fw_prid to the prison ID, otherwise set it to -1.
- Update man page to reflect these changes.
This change was a strong motivator behind the ucred caching
mechanism in ipfw.
A sample usage of this new functionality could be:
ipfw add count ip from any to any jail 2
It should be noted that because ucred based constraints
are only implemented for TCP and UDP packets, the same
applies for jail associations.
Conceptual head nod by: pjd
Reviewed by: rwatson
Approved by: bmilekic (mentor)
Diffstat (limited to 'sbin/ipfw/ipfw2.c')
| -rw-r--r-- | sbin/ipfw/ipfw2.c | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/sbin/ipfw/ipfw2.c b/sbin/ipfw/ipfw2.c index 1030e39..bac3552 100644 --- a/sbin/ipfw/ipfw2.c +++ b/sbin/ipfw/ipfw2.c @@ -204,6 +204,7 @@ enum tokens { TOK_UID, TOK_GID, + TOK_JAIL, TOK_IN, TOK_LIMIT, TOK_KEEPSTATE, @@ -304,6 +305,7 @@ struct _s_x rule_actions[] = { struct _s_x rule_options[] = { { "uid", TOK_UID }, { "gid", TOK_GID }, + { "jail", TOK_JAIL }, { "in", TOK_IN }, { "limit", TOK_LIMIT }, { "keep-state", TOK_KEEPSTATE }, @@ -1284,6 +1286,10 @@ show_ipfw(struct ip_fw *rule, int pcwidth, int bcwidth) } break; + case O_JAIL: + printf(" jail %d", cmd32->d[0]); + break; + case O_VERREVPATH: printf(" verrevpath"); break; @@ -3298,6 +3304,22 @@ read_options: } break; + case TOK_JAIL: + NEED1("jail requires argument"); + { + char *end; + int jid; + + cmd->opcode = O_JAIL; + jid = (int)strtol(*av, &end, 0); + if (jid < 0 || *end != '\0') + errx(EX_DATAERR, "jail requires prison ID"); + cmd32->d[0] = (unsigned int)jid; + cmd->len = F_INSN_SIZE(ipfw_insn_u32); + ac--; av++; + } + break; + case TOK_ESTAB: fill_cmd(cmd, O_ESTAB, 0, 0); break; |
