cvs commit: src/sys/netinet ip_fw.h ip_fw2.c

Christian S.J. Peron csjp at
Thu Aug 12 15:05:48 PDT 2004

csjp        2004-08-12 22:05:47 UTC

  FreeBSD src repository

  Modified files:
    sys/netinet          ip_fw.h ip_fw2.c 
  Add the ability to associate ipfw rules with a specific prison ID.
  Since the only thing truly unique about a prison is it's ID, I figured
  this would be the most granular way of handling this.
  This commit makes the following changes:
  - Adds tokenizing and parsing for the ``jail'' command line option
    to the ipfw(8) userspace utility.
  - Append the ipfw opcode list with O_JAIL.
  - While Iam here, add a comment informing others that if they
    want to add additional opcodes, they should append them to the end
    of the list to avoid ABI breakage.
  - Add ``fw_prid'' to the ipfw ucred cache structure.
  - When initializing ucred cache, if the process is jailed,
    set fw_prid to the prison ID, otherwise set it to -1.
  - Update man page to reflect these changes.
  This change was a strong motivator behind the ucred caching
  mechanism in ipfw.
  A sample usage of this new functionality could be:
      ipfw add count ip from any to any jail 2
  It should be noted that because ucred based constraints
  are only implemented for TCP and UDP packets, the same
  applies for jail associations.
  Conceptual head nod by: pjd
  Reviewed by:    rwatson
  Approved by:    bmilekic (mentor)
  Revision  Changes    Path
  1.87      +5 -1      src/sys/netinet/ip_fw.h
  1.69      +9 -1      src/sys/netinet/ip_fw2.c

More information about the cvs-src mailing list