cvs commit: src/sys/netinet ip_fw.h ip_fw2.c
Christian S.J. Peron
csjp at FreeBSD.org
Thu Aug 12 15:05:48 PDT 2004
csjp 2004-08-12 22:05:47 UTC
FreeBSD src repository
sys/netinet ip_fw.h ip_fw2.c
Add the ability to associate ipfw rules with a specific prison ID.
Since the only thing truly unique about a prison is it's ID, I figured
this would be the most granular way of handling this.
This commit makes the following changes:
- Adds tokenizing and parsing for the ``jail'' command line option
to the ipfw(8) userspace utility.
- Append the ipfw opcode list with O_JAIL.
- While Iam here, add a comment informing others that if they
want to add additional opcodes, they should append them to the end
of the list to avoid ABI breakage.
- Add ``fw_prid'' to the ipfw ucred cache structure.
- When initializing ucred cache, if the process is jailed,
set fw_prid to the prison ID, otherwise set it to -1.
- Update man page to reflect these changes.
This change was a strong motivator behind the ucred caching
mechanism in ipfw.
A sample usage of this new functionality could be:
ipfw add count ip from any to any jail 2
It should be noted that because ucred based constraints
are only implemented for TCP and UDP packets, the same
applies for jail associations.
Conceptual head nod by: pjd
Reviewed by: rwatson
Approved by: bmilekic (mentor)
Revision Changes Path
1.87 +5 -1 src/sys/netinet/ip_fw.h
1.69 +9 -1 src/sys/netinet/ip_fw2.c
More information about the cvs-src