Add the ability to associate ipfw rules with a specific prison ID.

Since the only thing truly unique about a prison is it's ID, I figured
this would be the most granular way of handling this.

This commit makes the following changes:

- Adds tokenizing and parsing for the ``jail'' command line option
  to the ipfw(8) userspace utility.
- Append the ipfw opcode list with O_JAIL.
- While Iam here, add a comment informing others that if they
  want to add additional opcodes, they should append them to the end
  of the list to avoid ABI breakage.
- Add ``fw_prid'' to the ipfw ucred cache structure.
- When initializing ucred cache, if the process is jailed,
  set fw_prid to the prison ID, otherwise set it to -1.
- Update man page to reflect these changes.

This change was a strong motivator behind the ucred caching
mechanism in ipfw.

A sample usage of this new functionality could be:

    ipfw add count ip from any to any jail 2

It should be noted that because ucred based constraints
are only implemented for TCP and UDP packets, the same
applies for jail associations.

Conceptual head nod by:	pjd
Reviewed by:	rwatson
Approved by:	bmilekic (mentor)

2 files changed, 26 insertions, 0 deletions

diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8
index e01ac72..eb9e92b 100644
--- a/sbin/ipfw/ipfw.8
+++ b/sbin/ipfw/ipfw.8
@@ -929,6 +929,10 @@ Matches all TCP or UDP packets sent by or received for a
 A
 .Ar group
 may be specified by name or number.
+.It Cm jail Ar prisonID
+Matches all TCP or UDP packets sent by or received for the
+jail whos prison ID is 
+.Ar prisoniD .
 .It Cm icmptypes Ar types
 Matches ICMP packets whose ICMP type is in the list
 .Ar types .
diff --git a/sbin/ipfw/ipfw2.c b/sbin/ipfw/ipfw2.c
index 1030e39..bac3552 100644
--- a/sbin/ipfw/ipfw2.c
+++ b/sbin/ipfw/ipfw2.c
@@ -204,6 +204,7 @@ enum tokens {
 
 	TOK_UID,
 	TOK_GID,
+	TOK_JAIL,
 	TOK_IN,
 	TOK_LIMIT,
 	TOK_KEEPSTATE,
@@ -304,6 +305,7 @@ struct _s_x rule_actions[] = {
 struct _s_x rule_options[] = {
 	{ "uid",		TOK_UID },
 	{ "gid",		TOK_GID },
+	{ "jail",		TOK_JAIL },
 	{ "in",			TOK_IN },
 	{ "limit",		TOK_LIMIT },
 	{ "keep-state",		TOK_KEEPSTATE },
@@ -1284,6 +1286,10 @@ show_ipfw(struct ip_fw *rule, int pcwidth, int bcwidth)
 			    }
 				break;
 
+			case O_JAIL:
+				printf(" jail %d", cmd32->d[0]);
+				break;
+
 			case O_VERREVPATH:
 				printf(" verrevpath");
 				break;
@@ -3298,6 +3304,22 @@ read_options:
 		    }
 			break;
 
+		case TOK_JAIL:
+			NEED1("jail requires argument");
+		    {
+			char *end;
+			int jid;
+
+			cmd->opcode = O_JAIL;
+			jid = (int)strtol(*av, &end, 0);
+			if (jid < 0 || *end != '\0')
+				errx(EX_DATAERR, "jail requires prison ID");
+			cmd32->d[0] = (unsigned int)jid;
+			cmd->len = F_INSN_SIZE(ipfw_insn_u32);
+			ac--; av++;
+		    }
+			break;
+
 		case TOK_ESTAB:
 			fill_cmd(cmd, O_ESTAB, 0, 0);
 			break;