From nobody Thu Jul 14 13:54:33 2022
X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4LkGFP4384z1J4rT;
	Thu, 14 Jul 2022 13:54:33 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4LkGFP3GjFz418K;
	Thu, 14 Jul 2022 13:54:33 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1657806873;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=hXf/0r1HFmMfo58FS5NJP0zmnFYbSnrGjU90cmNdby0=;
	b=rI2tdTCI5gFk1NjTrfjqYCMlqrif/WzUN+yrvZG9zSWGWkwEkECJW2WhcOURyVHHf8xlXm
	BsdlNA3bQ+kR4VOrszVII5ork+Ff72tAnpEKxcnLGEYKaBb6CKjTZAI6Ya0cXaqN3QIa3l
	0J13Y40qRDC4sHWDN30Ta7bQP0D2ojYWY7LI7GNRh/sKSO2A3cy1BJJkjdvnFP3jYxTiki
	4MCmLx4HBIuOKsximBKRjhah7RY9u/iXevnNwPyOkjHIsGw98koCV46JtX95TKK5TJ0ibm
	aaGrgO8HTOARI+TrFNN6TSxLOij+FAB4HzVmWMBc+qlM3/SGn+tcCwvi7iCXJw==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4LkGFP22Lbz15Gw;
	Thu, 14 Jul 2022 13:54:33 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 26EDsXf5072584;
	Thu, 14 Jul 2022 13:54:33 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 26EDsXmP072583;
	Thu, 14 Jul 2022 13:54:33 GMT
	(envelope-from git)
Date: Thu, 14 Jul 2022 13:54:33 GMT
Message-Id: <202207141354.26EDsXmP072583@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Cy Schubert <cy@FreeBSD.org>
Subject: git: 831c6b8edda6 - stable/13 - ipfilter: Support only jails in VNET
List-Id: Commits to the stable branches of the FreeBSD src repository <dev-commits-src-branches.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches
List-Help: <mailto:dev-commits-src-branches+help@freebsd.org>
List-Post: <mailto:dev-commits-src-branches@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-branches+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-branches+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-branches@freebsd.org
X-BeenThere: dev-commits-src-branches@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: cy
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/13
X-Git-Reftype: branch
X-Git-Commit: 831c6b8edda6c8d25db43e4d4bbf5120651bd1ec
Auto-Submitted: auto-generated
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1657806873;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=hXf/0r1HFmMfo58FS5NJP0zmnFYbSnrGjU90cmNdby0=;
	b=VTIEFzTuZ57Dal56hKU35UjluyE+CUUVKY31iOGJOuZxJho+KIXWR+QB3LVM0oKPifN4TU
	TBDJ7hOv9jFHBWT8/fwgqYwLOGVzyZ1vg2b8QG6vzZVguXW2VB1q844/B6ocsyInafwkgG
	GuSb1a7kYXoaiCq7eDCwL8r/sYI7a+Shf57g8xZIjHKluIWTlrvvCqALmzALpicKRKcRwf
	MgNqHxiR5lcmDNyJDICF+KOR7N5Mr/L7w10h4O6IPeLaOf48QSYSmLVU6/5X7hffsspYd/
	lx6/FTIn1YwAdXLJN1nN6t2RVYYN5ob48gKaMQyfnWFvC0Cufnz8wEWJGKw/1A==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1657806873; a=rsa-sha256; cv=none;
	b=rFLOhp1HfDVcC0Yosd5Mp7ro+kTbIgoxA04TF1wLWGODVD03w4IaStO9xXQ5+xmETpXMbY
	6nWaCgswvyXLVOO6G7itXRBiJuHfxfjk0H+ur0rkEdrJkMV09SYWE5+VpynIqog90VY14F
	8vs6D7xlSJUVD5zhfacBlYcbB5bmxG4nIDqIeRuyGLy9IFWdiB4LdIn3Rhu5WSZCCZ+VtJ
	L/ktoVjaduXk6h74fYatv4sxv3EWbe96cgf1rfEfFxuQOM+Y/EBdw6x5ubsYXeDCtvgiXP
	m9hfOPG9m64S8Xi7pdpsQWbyieLLGLqSuafUAkNg8s2ye/gylrUauYxHfKW5Ww==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
X-ThisMailContainsUnwantedMimeParts: N

The branch stable/13 has been updated by cy:

URL: https://cgit.FreeBSD.org/src/commit/?id=831c6b8edda6c8d25db43e4d4bbf5120651bd1ec

commit 831c6b8edda6c8d25db43e4d4bbf5120651bd1ec
Author:     Cy Schubert <cy@FreeBSD.org>
AuthorDate: 2022-03-17 18:05:05 +0000
Commit:     Cy Schubert <cy@FreeBSD.org>
CommitDate: 2022-07-14 13:54:22 +0000

    ipfilter: Support only jails in VNET
    
    Jails without VNET have complete access to the ipfilter rules, NAT,
    pools and logs. This is insecure. Only allow jails to manipulate
    ipfilter rules, NAT tables and ippools if the jail has its own VNET.
    Otherwise a jail can affect the global system.
    
    This patch brings ipfilter in line with ipfw's support of VNET jails and
    non-support of non-VNET jails.
    
    (cherry picked from commit c47db49ba4aa7e74afe22591a62fbda95317932d)
---
 sbin/ipf/libipf/interror.c                    |  4 +++-
 sys/netpfil/ipfilter/netinet/ip_fil_freebsd.c |  7 +++++++
 sys/netpfil/ipfilter/netinet/ip_nat.c         |  9 +++++++++
 sys/netpfil/ipfilter/netinet/mlfk_ipl.c       | 12 ++++++++++++
 4 files changed, 31 insertions(+), 1 deletion(-)

diff --git a/sbin/ipf/libipf/interror.c b/sbin/ipf/libipf/interror.c
index ca97254cb382..994fb9d2b320 100644
--- a/sbin/ipf/libipf/interror.c
+++ b/sbin/ipf/libipf/interror.c
@@ -17,7 +17,7 @@ typedef	struct	{
 
 static ipf_error_entry_t *find_error(int);
 
-#define	IPF_NUM_ERRORS	475
+#define	IPF_NUM_ERRORS	477
 
 /*
  * NO REUSE OF NUMBERS!
@@ -355,6 +355,7 @@ log" },
 	{	60073,	"unknown lookup group for next address (ipv6)" },
 	{	60074,	"unknown next address type (ipv6)" },
 	{	60075,	"one object at a time must be copied" },
+	{	60076,	"NAT ioctl denied in jail without VNET" },
 /* -------------------------------------------------------------------------- */
 	{	70001,	"incorrect object size to get pool stats" },
 	{	70002,	"could not malloc memory for new pool node" },
@@ -516,6 +517,7 @@ log" },
 	{	130015,	"ipf_init_all failed" },
 	{	130016,	"finding pfil head failed" },
 	{	130017,	"ipfilter is already initialised and running" },
+	{	130018,	"ioctl denied in jail without VNET" },
 };
 
 
diff --git a/sys/netpfil/ipfilter/netinet/ip_fil_freebsd.c b/sys/netpfil/ipfilter/netinet/ip_fil_freebsd.c
index f617584394cf..57a006ed5393 100644
--- a/sys/netpfil/ipfilter/netinet/ip_fil_freebsd.c
+++ b/sys/netpfil/ipfilter/netinet/ip_fil_freebsd.c
@@ -47,6 +47,7 @@ static const char rcsid[] = "@(#)$Id$";
 #include <net/route/nhop.h>
 #include <netinet/in.h>
 #include <netinet/in_fib.h>
+#include <netinet/in_pcb.h>
 #include <netinet/in_var.h>
 #include <netinet/in_systm.h>
 #include <netinet/ip.h>
@@ -281,6 +282,12 @@ ipfioctl(struct cdev *dev, ioctlcmd_t cmd, caddr_t data,
 		return (EPERM);
 	}
 
+	if (jailed_without_vnet(p->p_cred)) {
+		V_ipfmain.ipf_interror = 130018;
+		CURVNET_RESTORE();
+		return (EOPNOTSUPP);
+	}
+
 	unit = GET_MINOR(dev);
 	if ((IPL_LOGMAX < unit) || (unit < 0)) {
 		V_ipfmain.ipf_interror = 130002;
diff --git a/sys/netpfil/ipfilter/netinet/ip_nat.c b/sys/netpfil/ipfilter/netinet/ip_nat.c
index fd9429a623dd..9ee3082aa864 100644
--- a/sys/netpfil/ipfilter/netinet/ip_nat.c
+++ b/sys/netpfil/ipfilter/netinet/ip_nat.c
@@ -42,6 +42,9 @@ struct file;
 #include <sys/socket.h>
 #if defined(_KERNEL)
 # include <sys/systm.h>
+# if defined(__FreeBSD__)
+#  include <sys/jail.h>
+# endif
 # if !defined(__SVR4)
 #  include <sys/mbuf.h>
 # endif
@@ -999,6 +1002,12 @@ ipf_nat_ioctl(ipf_main_softc_t *softc, caddr_t data, ioctlcmd_t cmd,
 		IPFERROR(60001);
 		return (EPERM);
 	}
+# if defined(__FreeBSD__)
+	if (jailed_without_vnet(curthread->td_ucred)) {
+		IPFERROR(60076);
+		return (EOPNOTSUPP);
+	}
+# endif
 #endif
 
 	getlock = (mode & NAT_LOCKHELD) ? 0 : 1;
diff --git a/sys/netpfil/ipfilter/netinet/mlfk_ipl.c b/sys/netpfil/ipfilter/netinet/mlfk_ipl.c
index 872471bac38b..091d2c7d2061 100644
--- a/sys/netpfil/ipfilter/netinet/mlfk_ipl.c
+++ b/sys/netpfil/ipfilter/netinet/mlfk_ipl.c
@@ -377,6 +377,9 @@ sysctl_error:
 static int
 sysctl_ipf_int_nat ( SYSCTL_HANDLER_ARGS )
 {
+	if (jailed_without_vnet(curthread->td_ucred))
+		return (0);
+
 	ipf_nat_softc_t *nat_softc;
 
 	nat_softc = V_ipfmain.ipf_nat_soft;
@@ -388,6 +391,9 @@ sysctl_ipf_int_nat ( SYSCTL_HANDLER_ARGS )
 static int
 sysctl_ipf_int_state ( SYSCTL_HANDLER_ARGS )
 {
+	if (jailed_without_vnet(curthread->td_ucred))
+		return (0);
+
 	ipf_state_softc_t *state_softc;
 
 	state_softc = V_ipfmain.ipf_state_soft;
@@ -399,6 +405,9 @@ sysctl_ipf_int_state ( SYSCTL_HANDLER_ARGS )
 static int
 sysctl_ipf_int_auth ( SYSCTL_HANDLER_ARGS )
 {
+	if (jailed_without_vnet(curthread->td_ucred))
+		return (0);
+
 	ipf_auth_softc_t *auth_softc;
 
 	auth_softc = V_ipfmain.ipf_auth_soft;
@@ -410,6 +419,9 @@ sysctl_ipf_int_auth ( SYSCTL_HANDLER_ARGS )
 static int
 sysctl_ipf_int_frag ( SYSCTL_HANDLER_ARGS )
 {
+	if (jailed_without_vnet(curthread->td_ucred))
+		return (0);
+
 	ipf_frag_softc_t *frag_softc;
 
 	frag_softc = V_ipfmain.ipf_frag_soft;