diff options
author | jamie <jamie@FreeBSD.org> | 2009-02-05 14:58:16 +0000 |
---|---|---|
committer | jamie <jamie@FreeBSD.org> | 2009-02-05 14:58:16 +0000 |
commit | 3e0f2e8d7e08942b9442712121698c9c59506563 (patch) | |
tree | d25777beea0fdf3030cb98069efbc6efe115b2e4 /sys/net/rtsock.c | |
parent | bbcda547da3ebc4ff1d85c6960c8bd2478f200ec (diff) | |
download | FreeBSD-src-3e0f2e8d7e08942b9442712121698c9c59506563.zip FreeBSD-src-3e0f2e8d7e08942b9442712121698c9c59506563.tar.gz |
Call prison_if from rtm_get_jailed, instead of splitting it out into
prison_check_ip4 and prison_check_ip6. As prison_if includes a jailed()
check, remove that check before calling rtm_get_jailed.
Approved by: bz (mentor)
Diffstat (limited to 'sys/net/rtsock.c')
-rw-r--r-- | sys/net/rtsock.c | 153 |
1 files changed, 63 insertions, 90 deletions
diff --git a/sys/net/rtsock.c b/sys/net/rtsock.c index 8d2d07a..91aec20 100644 --- a/sys/net/rtsock.c +++ b/sys/net/rtsock.c @@ -337,55 +337,48 @@ rtm_get_jailed(struct rt_addrinfo *info, struct ifnet *ifp, struct rtentry *rt, union sockaddr_union *saun, struct ucred *cred) { + /* First, see if the returned address is part of the jail. */ + if (prison_if(cred, rt->rt_ifa->ifa_addr) == 0) { + info->rti_info[RTAX_IFA] = rt->rt_ifa->ifa_addr; + return (0); + } + switch (info->rti_info[RTAX_DST]->sa_family) { #ifdef INET case AF_INET: { struct in_addr ia; + struct ifaddr *ifa; + int found; + found = 0; /* - * 1. Check if the returned address is part of the jail. + * Try to find an address on the given outgoing interface + * that belongs to the jail. */ - ia = ((struct sockaddr_in *)rt->rt_ifa->ifa_addr)->sin_addr; - if (prison_check_ip4(cred, &ia) == 0) { - info->rti_info[RTAX_IFA] = rt->rt_ifa->ifa_addr; - - } else { - struct ifaddr *ifa; - int found; - - found = 0; - + TAILQ_FOREACH(ifa, &ifp->if_addrhead, ifa_link) { + struct sockaddr *sa; + sa = ifa->ifa_addr; + if (sa->sa_family != AF_INET) + continue; + ia = ((struct sockaddr_in *)sa)->sin_addr; + if (prison_check_ip4(cred, &ia) == 0) { + found = 1; + break; + } + } + if (!found) { /* - * 2. Try to find an address on the given outgoing - * interface that belongs to the jail. + * As a last resort return the 'default' jail address. */ - TAILQ_FOREACH(ifa, &ifp->if_addrhead, ifa_link) { - struct sockaddr *sa; - sa = ifa->ifa_addr; - if (sa->sa_family != AF_INET) - continue; - ia = ((struct sockaddr_in *)sa)->sin_addr; - if (prison_check_ip4(cred, &ia) == 0) { - found = 1; - break; - } - } - if (!found) { - /* - * 3. As a last resort return the 'default' - * jail address. - */ - if (prison_get_ip4(cred, &ia) != 0) - return (ESRCH); - } - bzero(&saun->sin, sizeof(struct sockaddr_in)); - saun->sin.sin_len = sizeof(struct sockaddr_in); - saun->sin.sin_family = AF_INET; - saun->sin.sin_addr.s_addr = ia.s_addr; - info->rti_info[RTAX_IFA] = - (struct sockaddr *)&saun->sin; + if (prison_get_ip4(cred, &ia) != 0) + return (ESRCH); } + bzero(&saun->sin, sizeof(struct sockaddr_in)); + saun->sin.sin_len = sizeof(struct sockaddr_in); + saun->sin.sin_family = AF_INET; + saun->sin.sin_addr.s_addr = ia.s_addr; + info->rti_info[RTAX_IFA] = (struct sockaddr *)&saun->sin; break; } #endif @@ -393,54 +386,40 @@ rtm_get_jailed(struct rt_addrinfo *info, struct ifnet *ifp, case AF_INET6: { struct in6_addr ia6; + struct ifaddr *ifa; + int found; + found = 0; /* - * 1. Check if the returned address is part of the jail. + * Try to find an address on the given outgoing interface + * that belongs to the jail. */ - bcopy(&((struct sockaddr_in6 *)rt->rt_ifa->ifa_addr)->sin6_addr, - &ia6, sizeof(struct in6_addr)); - if (prison_check_ip6(cred, &ia6) == 0) { - info->rti_info[RTAX_IFA] = rt->rt_ifa->ifa_addr; - } else { - struct ifaddr *ifa; - int found; - - found = 0; - + TAILQ_FOREACH(ifa, &ifp->if_addrhead, ifa_link) { + struct sockaddr *sa; + sa = ifa->ifa_addr; + if (sa->sa_family != AF_INET6) + continue; + bcopy(&((struct sockaddr_in6 *)sa)->sin6_addr, + &ia6, sizeof(struct in6_addr)); + if (prison_check_ip6(cred, &ia6) == 0) { + found = 1; + break; + } + } + if (!found) { /* - * 2. Try to find an address on the given outgoing - * interface that belongs to the jail. + * As a last resort return the 'default' jail address. */ - TAILQ_FOREACH(ifa, &ifp->if_addrhead, ifa_link) { - struct sockaddr *sa; - sa = ifa->ifa_addr; - if (sa->sa_family != AF_INET6) - continue; - bcopy(&((struct sockaddr_in6 *)sa)->sin6_addr, - &ia6, sizeof(struct in6_addr)); - if (prison_check_ip6(cred, &ia6) == 0) { - found = 1; - break; - } - } - if (!found) { - /* - * 3. As a last resort return the 'default' - * jail address. - */ - if (prison_get_ip6(cred, &ia6) != 0) - return (ESRCH); - } - bzero(&saun->sin6, sizeof(struct sockaddr_in6)); - saun->sin6.sin6_len = sizeof(struct sockaddr_in6); - saun->sin6.sin6_family = AF_INET6; - bcopy(&ia6, &saun->sin6.sin6_addr, - sizeof(struct in6_addr)); - if (sa6_recoverscope(&saun->sin6) != 0) + if (prison_get_ip6(cred, &ia6) != 0) return (ESRCH); - info->rti_info[RTAX_IFA] = - (struct sockaddr *)&saun->sin6; } + bzero(&saun->sin6, sizeof(struct sockaddr_in6)); + saun->sin6.sin6_len = sizeof(struct sockaddr_in6); + saun->sin6.sin6_family = AF_INET6; + bcopy(&ia6, &saun->sin6.sin6_addr, sizeof(struct in6_addr)); + if (sa6_recoverscope(&saun->sin6) != 0) + return (ESRCH); + info->rti_info[RTAX_IFA] = (struct sockaddr *)&saun->sin6; break; } #endif @@ -628,17 +607,11 @@ route_output(struct mbuf *m, struct socket *so) if (ifp) { info.rti_info[RTAX_IFP] = ifp->if_addr->ifa_addr; - if (jailed(curthread->td_ucred)) { - error = rtm_get_jailed( - &info, ifp, rt, &saun, - curthread->td_ucred); - if (error != 0) { - RT_UNLOCK(rt); - senderr(ESRCH); - } - } else { - info.rti_info[RTAX_IFA] = - rt->rt_ifa->ifa_addr; + error = rtm_get_jailed(&info, ifp, rt, + &saun, curthread->td_ucred); + if (error != 0) { + RT_UNLOCK(rt); + senderr(error); } if (ifp->if_flags & IFF_POINTOPOINT) info.rti_info[RTAX_BRD] = |