Standardize the various prison_foo_ip[46] functions and prison_if to

return zero on success and an error code otherwise.  The possible errors
are EADDRNOTAVAIL if an address being checked for doesn't match the
prison, and EAFNOSUPPORT if the prison doesn't have any addresses in
that address family.  For most callers of these functions, use the
returned error code instead of e.g. a hard-coded EADDRNOTAVAIL or
EINVAL.

Always include a jailed() check in these functions, where a non-jailed
cred always returns success (and makes no changes).  Remove the explicit
jailed() checks that preceded many of the function calls.

Approved by:	bz (mentor)

1 files changed, 16 insertions, 18 deletions

diff --git a/sys/netinet6/in6_pcb.c b/sys/netinet6/in6_pcb.c
index 753f45d..13c55cd 100644
--- a/sys/netinet6/in6_pcb.c
+++ b/sys/netinet6/in6_pcb.c
@@ -119,7 +119,7 @@ in6_pcbbind(register struct inpcb *inp, struct sockaddr *nam,
 	struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)NULL;
 	struct inpcbinfo *pcbinfo = inp->inp_pcbinfo;
 	u_short	lport = 0;
-	int wild = 0, reuseport = (so->so_options & SO_REUSEPORT);
+	int error, wild = 0, reuseport = (so->so_options & SO_REUSEPORT);
 
 	INP_INFO_WLOCK_ASSERT(pcbinfo);
 	INP_WLOCK_ASSERT(inp);
@@ -131,8 +131,6 @@ in6_pcbbind(register struct inpcb *inp, struct sockaddr *nam,
 	if ((so->so_options & (SO_REUSEADDR|SO_REUSEPORT)) == 0)
 		wild = INPLOOKUP_WILDCARD;
 	if (nam) {
-		int error;
-
 		sin6 = (struct sockaddr_in6 *)nam;
 		if (nam->sa_len != sizeof(*sin6))
 			return (EINVAL);
@@ -145,9 +143,9 @@ in6_pcbbind(register struct inpcb *inp, struct sockaddr *nam,
 		if ((error = sa6_embedscope(sin6, V_ip6_use_defzone)) != 0)
 			return(error);
 
-		if (prison_local_ip6(cred, &sin6->sin6_addr,
-		    ((inp->inp_flags & IN6P_IPV6_V6ONLY) != 0)) != 0)
-			return (EINVAL);
+		if ((error = prison_local_ip6(cred, &sin6->sin6_addr,
+		    ((inp->inp_flags & IN6P_IPV6_V6ONLY) != 0))) != 0)
+			return (error);
 
 		lport = sin6->sin6_port;
 		if (IN6_IS_ADDR_MULTICAST(&sin6->sin6_addr)) {
@@ -223,9 +221,9 @@ in6_pcbbind(register struct inpcb *inp, struct sockaddr *nam,
 						return (EADDRINUSE);
 				}
 			}
-			if (prison_local_ip6(cred, &sin6->sin6_addr,
-			    ((inp->inp_flags & IN6P_IPV6_V6ONLY) != 0)) != 0)
-				return (EADDRNOTAVAIL);
+			if ((error = prison_local_ip6(cred, &sin6->sin6_addr,
+			    ((inp->inp_flags & IN6P_IPV6_V6ONLY) != 0))) != 0)
+				return (error);
 			t = in6_pcblookup_local(pcbinfo, &sin6->sin6_addr,
 			    lport, wild, cred);
 			if (t && (reuseport & ((t->inp_vflag & INP_TIMEWAIT) ?
@@ -258,13 +256,12 @@ in6_pcbbind(register struct inpcb *inp, struct sockaddr *nam,
 		}
 		inp->in6p_laddr = sin6->sin6_addr;
 	}
-	if (prison_local_ip6(cred, &inp->in6p_laddr,
-	    ((inp->inp_flags & IN6P_IPV6_V6ONLY) != 0)) != 0)
-		return (EINVAL);
+	if ((error = prison_local_ip6(cred, &inp->in6p_laddr,
+	    ((inp->inp_flags & IN6P_IPV6_V6ONLY) != 0))) != 0)
+		return (error);
 	if (lport == 0) {
-		int e;
-		if ((e = in6_pcbsetport(&inp->in6p_laddr, inp, cred)) != 0)
-			return (e);
+		if ((error = in6_pcbsetport(&inp->in6p_laddr, inp, cred)) != 0)
+			return (error);
 	} else {
 		inp->inp_lport = lport;
 		if (in_pcbinshash(inp) != 0) {
@@ -320,8 +317,8 @@ in6_pcbladdr(register struct inpcb *inp, struct sockaddr *nam,
 		if (IN6_IS_ADDR_UNSPECIFIED(&sin6->sin6_addr))
 			sin6->sin6_addr = in6addr_loopback;
 	}
-	if (prison_remote_ip6(inp->inp_cred, &sin6->sin6_addr) != 0)
-		return (EADDRNOTAVAIL);
+	if ((error = prison_remote_ip6(inp->inp_cred, &sin6->sin6_addr)) != 0)
+		return (error);
 
 	/*
 	 * XXX: in6_selectsrc might replace the bound local address
@@ -885,7 +882,8 @@ in6_pcblookup_hash(struct inpcbinfo *pcbinfo, struct in6_addr *faddr,
 
 			injail = jailed(inp->inp_cred);
 			if (injail) {
-				if (!prison_check_ip6(inp->inp_cred, laddr))
+				if (prison_check_ip6(inp->inp_cred,
+				    laddr) != 0)
 					continue;
 			} else {
 				if (local_exact != NULL)