summaryrefslogtreecommitdiffstats
path: root/sys
diff options
context:
space:
mode:
authorbillf <billf@FreeBSD.org>2000-09-06 03:10:42 +0000
committerbillf <billf@FreeBSD.org>2000-09-06 03:10:42 +0000
commitb1549fa803c4c7c23627d66d8ea9033dffedb5da (patch)
tree15688a5a63a40bca219c907c945947c7412765a9 /sys
parentd8c5793861501f78ad999d797bc6e92831439a42 (diff)
downloadFreeBSD-src-b1549fa803c4c7c23627d66d8ea9033dffedb5da.zip
FreeBSD-src-b1549fa803c4c7c23627d66d8ea9033dffedb5da.tar.gz
1. IP_FW_F_{UID,GID} are _not_ commands, they are extras. The sanity checking
for them does not belong in the IP_FW_F_COMMAND switch, that mask doesn't even apply to them(!). 2. You cannot add a uid/gid rule to something that isn't TCP, UDP, or IP. XXX - this should be handled in ipfw(8) as well (for more diagnostic output), but this at least protects bogus rules from being added. Pointy hat: green
Diffstat (limited to 'sys')
-rw-r--r--sys/netinet/ip_fw.c9
1 files changed, 7 insertions, 2 deletions
diff --git a/sys/netinet/ip_fw.c b/sys/netinet/ip_fw.c
index 4ed2b0b..2e2bdd3 100644
--- a/sys/netinet/ip_fw.c
+++ b/sys/netinet/ip_fw.c
@@ -1719,6 +1719,13 @@ check_ipfw_struct(struct ip_fw *frwl)
}
}
+ if (frwl->fw_flg & (IP_FW_F_UID | IP_FW_F_GID)) {
+ if (frwl->fw_prot != (IPPROTO_TCP | IPPROTO_UDP | IPPROTO_IP)) {
+ dprintf(("%s cannot use uid/gid logic on non-TCP/UDP\n", err_prefix));
+ return (EINVAL);
+ }
+ }
+
/* Check command specific stuff */
switch (frwl->fw_flg & IP_FW_F_COMMAND)
{
@@ -1752,8 +1759,6 @@ check_ipfw_struct(struct ip_fw *frwl)
#ifdef IPFIREWALL_FORWARD
case IP_FW_F_FWD:
#endif
- case IP_FW_F_UID:
- case IP_FW_F_GID:
break;
default:
dprintf(("%s invalid command\n", err_prefix));
OpenPOWER on IntegriCloud