Add two more portrange sysctls, which control the area of the below

IPPORT_RESERVED that is used for selection when bind() is told to allocate
a reserved port.

Also, implement simple sanity checking for all the addresses set, to make
it a little harder for a user/sysadmin to shoot themselves in the feet.

2 files changed, 52 insertions, 17 deletions

diff --git a/sys/netinet/in.h b/sys/netinet/in.h
index 437489f..3f2dce2 100644
--- a/sys/netinet/in.h
+++ b/sys/netinet/in.h
@@ -31,7 +31,7 @@
  * SUCH DAMAGE.
  *
  *	@(#)in.h	8.3 (Berkeley) 1/3/94
- * $Id: in.h,v 1.17 1996/04/03 13:52:11 phk Exp $
+ * $Id: in.h,v 1.18 1996/07/10 19:44:20 julian Exp $
  */
 
 #ifndef _NETINET_IN_H_
@@ -88,7 +88,7 @@
  * if you trust the remote host to restrict these ports.
  *
  * The default range of ports and the high range can be changed by
- * sysctl(3).  (net.inet.ip.port{hi}{first,last}_auto)
+ * sysctl(3).  (net.inet.ip.port{hi,low}{first,last}_auto)
  *
  * Changing those values has bad security implications if you are
  * using a a stateless firewall that is allowing packets outside of that
@@ -115,6 +115,14 @@
 #define	IPPORT_HILASTAUTO	44999
 
 /*
+ * Scanning for a free reserved port return a value below IPPORT_RESERVED,
+ * but higher than IPPORT_RESERVEDSTART.  Traditionally the start value was
+ * 512, but that conflicts with some well-known-services that firewalls may
+ * have a fit if we use.
+ */
+#define IPPORT_RESERVEDSTART	600
+
+/*
  * Internet address (a structure for historical reasons)
  */
 struct in_addr {
diff --git a/sys/netinet/in_pcb.c b/sys/netinet/in_pcb.c
index 7b67888..fddbfaa 100644
--- a/sys/netinet/in_pcb.c
+++ b/sys/netinet/in_pcb.c
@@ -31,7 +31,7 @@
  * SUCH DAMAGE.
  *
  *	@(#)in_pcb.c	8.4 (Berkeley) 5/24/95
- *	$Id: in_pcb.c,v 1.18 1996/03/11 15:13:13 davidg Exp $
+ *	$Id: in_pcb.c,v 1.19 1996/05/31 05:11:22 peter Exp $
  */
 
 #include <sys/param.h>
@@ -61,28 +61,56 @@
 
 struct	in_addr zeroin_addr;
 
+static void	 in_pcbinshash __P((struct inpcb *));
+static void	 in_rtchange __P((struct inpcb *, int));
+
 /*
  * These configure the range of local port addresses assigned to
  * "unspecified" outgoing connections/packets/whatever.
  */
+static int ipport_lowfirstauto  = IPPORT_RESERVED - 1;	/* 1023 */
+static int ipport_lowlastauto = IPPORT_RESERVEDSTART;	/* 600 */
 static int ipport_firstauto = IPPORT_RESERVED;		/* 1024 */
 static int ipport_lastauto  = IPPORT_USERRESERVED;	/* 5000 */
 static int ipport_hifirstauto = IPPORT_HIFIRSTAUTO;	/* 40000 */
 static int ipport_hilastauto  = IPPORT_HILASTAUTO;	/* 44999 */
 
-SYSCTL_NODE(_net_inet_ip, IPPROTO_IP, portrange, CTLFLAG_RW, 0, "IP Ports");
+#define RANGECHK(var, min, max) \
+	if ((var) < (min)) { (var) = (min); } \
+	else if ((var) > (max)) { (var) = (max); }
+
+static int
+sysctl_net_ipport_check SYSCTL_HANDLER_ARGS
+{
+	int error = sysctl_handle_int(oidp,
+		oidp->oid_arg1, oidp->oid_arg2, req);
+	if (!error) {
+		RANGECHK(ipport_lowfirstauto, 1, IPPORT_RESERVED - 1);
+		RANGECHK(ipport_lowlastauto, 1, IPPORT_RESERVED - 1);
+		RANGECHK(ipport_firstauto, IPPORT_RESERVED, USHRT_MAX);
+		RANGECHK(ipport_lastauto, IPPORT_RESERVED, USHRT_MAX);
+		RANGECHK(ipport_hifirstauto, IPPORT_RESERVED, USHRT_MAX);
+		RANGECHK(ipport_hilastauto, IPPORT_RESERVED, USHRT_MAX);
+	}
+	return error;
+}
 
-SYSCTL_INT(_net_inet_ip_portrange, OID_AUTO, first, CTLFLAG_RW,
-	   &ipport_firstauto, 0, "");
-SYSCTL_INT(_net_inet_ip_portrange, OID_AUTO, last, CTLFLAG_RW,
-	   &ipport_lastauto, 0, "");
-SYSCTL_INT(_net_inet_ip_portrange, OID_AUTO, hifirst, CTLFLAG_RW,
-	   &ipport_hifirstauto, 0, "");
-SYSCTL_INT(_net_inet_ip_portrange, OID_AUTO, hilast, CTLFLAG_RW,
-	   &ipport_hilastauto, 0, "");
+#undef RANGECHK
 
-static void	 in_pcbinshash __P((struct inpcb *));
-static void	 in_rtchange __P((struct inpcb *, int));
+SYSCTL_NODE(_net_inet_ip, IPPROTO_IP, portrange, CTLFLAG_RW, 0, "IP Ports");
+
+SYSCTL_PROC(_net_inet_ip_portrange, OID_AUTO, lowfirst, CTLTYPE_INT|CTLFLAG_RW,
+	   &ipport_lowfirstauto, 0, &sysctl_net_ipport_check, "I", "");
+SYSCTL_PROC(_net_inet_ip_portrange, OID_AUTO, lowlast, CTLTYPE_INT|CTLFLAG_RW,
+	   &ipport_lowlastauto, 0, &sysctl_net_ipport_check, "I", "");
+SYSCTL_PROC(_net_inet_ip_portrange, OID_AUTO, first, CTLTYPE_INT|CTLFLAG_RW,
+	   &ipport_firstauto, 0, &sysctl_net_ipport_check, "I", "");
+SYSCTL_PROC(_net_inet_ip_portrange, OID_AUTO, last, CTLTYPE_INT|CTLFLAG_RW,
+	   &ipport_lastauto, 0, &sysctl_net_ipport_check, "I", "");
+SYSCTL_PROC(_net_inet_ip_portrange, OID_AUTO, hifirst, CTLTYPE_INT|CTLFLAG_RW,
+	   &ipport_hifirstauto, 0, &sysctl_net_ipport_check, "I", "");
+SYSCTL_PROC(_net_inet_ip_portrange, OID_AUTO, hilast, CTLTYPE_INT|CTLFLAG_RW,
+	   &ipport_hilastauto, 0, &sysctl_net_ipport_check, "I", "");
 
 int
 in_pcballoc(so, pcbinfo)
@@ -180,9 +208,8 @@ in_pcbbind(inp, nam)
 		} else if (inp->inp_flags & INP_LOWPORT) {
 			if (error = suser(p->p_ucred, &p->p_acflag))
 				return (EACCES);
-			first = IPPORT_RESERVED - 1;	/* 1023 */
-			last  = IPPORT_RESERVED / 2;	/* traditional - 512 */
-			*lastport = first;		/* restart each time */
+			first = ipport_lowfirstauto;	/* 1023 */
+			last  = ipport_lowlastauto;	/* 600 */
 		} else {
 			first = ipport_firstauto;	/* sysctl */
 			last  = ipport_lastauto;