diff options
author | peter <peter@FreeBSD.org> | 1996-08-12 14:05:54 +0000 |
---|---|---|
committer | peter <peter@FreeBSD.org> | 1996-08-12 14:05:54 +0000 |
commit | cff0cee56f8b022e93a2ce161b76444796020180 (patch) | |
tree | cc92a1d80ecf684c5150ca794f960086dd4a0219 /sys/netinet | |
parent | c2fcbeb6ff1e38452f855641439831a4746ef02a (diff) | |
download | FreeBSD-src-cff0cee56f8b022e93a2ce161b76444796020180.zip FreeBSD-src-cff0cee56f8b022e93a2ce161b76444796020180.tar.gz |
Add two more portrange sysctls, which control the area of the below
IPPORT_RESERVED that is used for selection when bind() is told to allocate
a reserved port.
Also, implement simple sanity checking for all the addresses set, to make
it a little harder for a user/sysadmin to shoot themselves in the feet.
Diffstat (limited to 'sys/netinet')
-rw-r--r-- | sys/netinet/in.h | 12 | ||||
-rw-r--r-- | sys/netinet/in_pcb.c | 57 |
2 files changed, 52 insertions, 17 deletions
diff --git a/sys/netinet/in.h b/sys/netinet/in.h index 437489f..3f2dce2 100644 --- a/sys/netinet/in.h +++ b/sys/netinet/in.h @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * @(#)in.h 8.3 (Berkeley) 1/3/94 - * $Id: in.h,v 1.17 1996/04/03 13:52:11 phk Exp $ + * $Id: in.h,v 1.18 1996/07/10 19:44:20 julian Exp $ */ #ifndef _NETINET_IN_H_ @@ -88,7 +88,7 @@ * if you trust the remote host to restrict these ports. * * The default range of ports and the high range can be changed by - * sysctl(3). (net.inet.ip.port{hi}{first,last}_auto) + * sysctl(3). (net.inet.ip.port{hi,low}{first,last}_auto) * * Changing those values has bad security implications if you are * using a a stateless firewall that is allowing packets outside of that @@ -115,6 +115,14 @@ #define IPPORT_HILASTAUTO 44999 /* + * Scanning for a free reserved port return a value below IPPORT_RESERVED, + * but higher than IPPORT_RESERVEDSTART. Traditionally the start value was + * 512, but that conflicts with some well-known-services that firewalls may + * have a fit if we use. + */ +#define IPPORT_RESERVEDSTART 600 + +/* * Internet address (a structure for historical reasons) */ struct in_addr { diff --git a/sys/netinet/in_pcb.c b/sys/netinet/in_pcb.c index 7b67888..fddbfaa 100644 --- a/sys/netinet/in_pcb.c +++ b/sys/netinet/in_pcb.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * @(#)in_pcb.c 8.4 (Berkeley) 5/24/95 - * $Id: in_pcb.c,v 1.18 1996/03/11 15:13:13 davidg Exp $ + * $Id: in_pcb.c,v 1.19 1996/05/31 05:11:22 peter Exp $ */ #include <sys/param.h> @@ -61,28 +61,56 @@ struct in_addr zeroin_addr; +static void in_pcbinshash __P((struct inpcb *)); +static void in_rtchange __P((struct inpcb *, int)); + /* * These configure the range of local port addresses assigned to * "unspecified" outgoing connections/packets/whatever. */ +static int ipport_lowfirstauto = IPPORT_RESERVED - 1; /* 1023 */ +static int ipport_lowlastauto = IPPORT_RESERVEDSTART; /* 600 */ static int ipport_firstauto = IPPORT_RESERVED; /* 1024 */ static int ipport_lastauto = IPPORT_USERRESERVED; /* 5000 */ static int ipport_hifirstauto = IPPORT_HIFIRSTAUTO; /* 40000 */ static int ipport_hilastauto = IPPORT_HILASTAUTO; /* 44999 */ -SYSCTL_NODE(_net_inet_ip, IPPROTO_IP, portrange, CTLFLAG_RW, 0, "IP Ports"); +#define RANGECHK(var, min, max) \ + if ((var) < (min)) { (var) = (min); } \ + else if ((var) > (max)) { (var) = (max); } + +static int +sysctl_net_ipport_check SYSCTL_HANDLER_ARGS +{ + int error = sysctl_handle_int(oidp, + oidp->oid_arg1, oidp->oid_arg2, req); + if (!error) { + RANGECHK(ipport_lowfirstauto, 1, IPPORT_RESERVED - 1); + RANGECHK(ipport_lowlastauto, 1, IPPORT_RESERVED - 1); + RANGECHK(ipport_firstauto, IPPORT_RESERVED, USHRT_MAX); + RANGECHK(ipport_lastauto, IPPORT_RESERVED, USHRT_MAX); + RANGECHK(ipport_hifirstauto, IPPORT_RESERVED, USHRT_MAX); + RANGECHK(ipport_hilastauto, IPPORT_RESERVED, USHRT_MAX); + } + return error; +} -SYSCTL_INT(_net_inet_ip_portrange, OID_AUTO, first, CTLFLAG_RW, - &ipport_firstauto, 0, ""); -SYSCTL_INT(_net_inet_ip_portrange, OID_AUTO, last, CTLFLAG_RW, - &ipport_lastauto, 0, ""); -SYSCTL_INT(_net_inet_ip_portrange, OID_AUTO, hifirst, CTLFLAG_RW, - &ipport_hifirstauto, 0, ""); -SYSCTL_INT(_net_inet_ip_portrange, OID_AUTO, hilast, CTLFLAG_RW, - &ipport_hilastauto, 0, ""); +#undef RANGECHK -static void in_pcbinshash __P((struct inpcb *)); -static void in_rtchange __P((struct inpcb *, int)); +SYSCTL_NODE(_net_inet_ip, IPPROTO_IP, portrange, CTLFLAG_RW, 0, "IP Ports"); + +SYSCTL_PROC(_net_inet_ip_portrange, OID_AUTO, lowfirst, CTLTYPE_INT|CTLFLAG_RW, + &ipport_lowfirstauto, 0, &sysctl_net_ipport_check, "I", ""); +SYSCTL_PROC(_net_inet_ip_portrange, OID_AUTO, lowlast, CTLTYPE_INT|CTLFLAG_RW, + &ipport_lowlastauto, 0, &sysctl_net_ipport_check, "I", ""); +SYSCTL_PROC(_net_inet_ip_portrange, OID_AUTO, first, CTLTYPE_INT|CTLFLAG_RW, + &ipport_firstauto, 0, &sysctl_net_ipport_check, "I", ""); +SYSCTL_PROC(_net_inet_ip_portrange, OID_AUTO, last, CTLTYPE_INT|CTLFLAG_RW, + &ipport_lastauto, 0, &sysctl_net_ipport_check, "I", ""); +SYSCTL_PROC(_net_inet_ip_portrange, OID_AUTO, hifirst, CTLTYPE_INT|CTLFLAG_RW, + &ipport_hifirstauto, 0, &sysctl_net_ipport_check, "I", ""); +SYSCTL_PROC(_net_inet_ip_portrange, OID_AUTO, hilast, CTLTYPE_INT|CTLFLAG_RW, + &ipport_hilastauto, 0, &sysctl_net_ipport_check, "I", ""); int in_pcballoc(so, pcbinfo) @@ -180,9 +208,8 @@ in_pcbbind(inp, nam) } else if (inp->inp_flags & INP_LOWPORT) { if (error = suser(p->p_ucred, &p->p_acflag)) return (EACCES); - first = IPPORT_RESERVED - 1; /* 1023 */ - last = IPPORT_RESERVED / 2; /* traditional - 512 */ - *lastport = first; /* restart each time */ + first = ipport_lowfirstauto; /* 1023 */ + last = ipport_lowlastauto; /* 600 */ } else { first = ipport_firstauto; /* sysctl */ last = ipport_lastauto; |