diff options
| author | csjp <csjp@FreeBSD.org> | 2004-08-12 22:06:55 +0000 |
|---|---|---|
| committer | csjp <csjp@FreeBSD.org> | 2004-08-12 22:06:55 +0000 |
| commit | 6661aed38d315a94d79f9f5311239dbfeceb4083 (patch) | |
| tree | 8b1ead136b954572913352304170c0ae98120eea /sys/netinet/ip_fw2.c | |
| parent | 00b723c98e12d2b81faf26ac4151bc1a09058f7c (diff) | |
| download | FreeBSD-src-6661aed38d315a94d79f9f5311239dbfeceb4083.zip FreeBSD-src-6661aed38d315a94d79f9f5311239dbfeceb4083.tar.gz | |
Add the ability to associate ipfw rules with a specific prison ID.
Since the only thing truly unique about a prison is it's ID, I figured
this would be the most granular way of handling this.
This commit makes the following changes:
- Adds tokenizing and parsing for the ``jail'' command line option
to the ipfw(8) userspace utility.
- Append the ipfw opcode list with O_JAIL.
- While Iam here, add a comment informing others that if they
want to add additional opcodes, they should append them to the end
of the list to avoid ABI breakage.
- Add ``fw_prid'' to the ipfw ucred cache structure.
- When initializing ucred cache, if the process is jailed,
set fw_prid to the prison ID, otherwise set it to -1.
- Update man page to reflect these changes.
This change was a strong motivator behind the ucred caching
mechanism in ipfw.
A sample usage of this new functionality could be:
ipfw add count ip from any to any jail 2
It should be noted that because ucred based constraints
are only implemented for TCP and UDP packets, the same
applies for jail associations.
Conceptual head nod by: pjd
Reviewed by: rwatson
Approved by: bmilekic (mentor)
Diffstat (limited to 'sys/netinet/ip_fw2.c')
| -rw-r--r-- | sys/netinet/ip_fw2.c | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/sys/netinet/ip_fw2.c b/sys/netinet/ip_fw2.c index 7333f68..7559db7 100644 --- a/sys/netinet/ip_fw2.c +++ b/sys/netinet/ip_fw2.c @@ -50,6 +50,7 @@ #include <sys/malloc.h> #include <sys/mbuf.h> #include <sys/kernel.h> +#include <sys/jail.h> #include <sys/module.h> #include <sys/proc.h> #include <sys/socket.h> @@ -111,6 +112,7 @@ struct ip_fw_ugid { gid_t fw_groups[NGROUPS]; int fw_ngroups; uid_t fw_uid; + int fw_prid; }; struct ip_fw_chain { @@ -1579,6 +1581,8 @@ check_uidgid(ipfw_insn_u32 *insn, INP_LOCK(pcb); if (pcb->inp_socket != NULL) { cr = pcb->inp_socket->so_cred; + ugp->fw_prid = jailed(cr) ? + cr->cr_prison->pr_id : -1; ugp->fw_uid = cr->cr_uid; ugp->fw_ngroups = cr->cr_ngroups; bcopy(cr->cr_groups, ugp->fw_groups, @@ -1601,13 +1605,15 @@ check_uidgid(ipfw_insn_u32 *insn, } if (insn->o.opcode == O_UID) match = (ugp->fw_uid == (uid_t)insn->d[0]); - else if (insn->o.opcode == O_GID) + else if (insn->o.opcode == O_GID) { for (gp = ugp->fw_groups; gp < &ugp->fw_groups[ugp->fw_ngroups]; gp++) if (*gp == (gid_t)insn->d[0]) { match = 1; break; } + } else if (insn->o.opcode == O_JAIL) + match = (ugp->fw_prid == (int)insn->d[0]); return match; } @@ -1921,6 +1927,7 @@ check_body: case O_GID: case O_UID: + case O_JAIL: /* * We only check offset == 0 && proto != 0, * as this ensures that we have an IPv4 @@ -2862,6 +2869,7 @@ check_ipfw_struct(struct ip_fw *rule, int size) case O_UID: case O_GID: + case O_JAIL: case O_IP_SRC: case O_IP_DST: case O_TCPSEQ: |
