kern/57492: Firewall can be disabled in securelevel 3

Bruce Evans bde at zeta.org.au
Thu Oct 2 08:52:31 PDT 2003


>  My apologies, I forgot that I have this problem fixed locally,
>  but it's not in the FreeBSD repository.  I will re-open the
>  bug.  The patch, FWIW, is as follows:

This has some style bugs:

>  %%%
>  Index: ip_fw.c
>  ===================================================================
>  RCS file: /home/ncvs/src/sys/netinet/Attic/ip_fw.c,v
>  retrieving revision 1.131.2.39
>  diff -u -p -r1.131.2.39 ip_fw.c
>  --- ip_fw.c	20 Jan 2003 02:23:07 -0000	1.131.2.39
>  +++ ip_fw.c	2 Oct 2003 12:07:35 -0000
>  @@ -94,11 +94,21 @@ LIST_HEAD (ip_fw_head, ip_fw) ip_fw_chai
>   MALLOC_DEFINE(M_IPFW, "IpFw/IpAcct", "IpFw/IpAcct chain's");
>
>   #ifdef SYSCTL_NODE
>  +
>  +static int
>  +sysctl_fw_securelevel_check(SYSCTL_HANDLER_ARGS)

Function in the middle of declarations.

>  +{
>  +
>  +	if (req->newptr && securelevel >= 3)
>  +		return (EPERM);
>  +	return sysctl_handle_int(oidp, arg1, arg2, req);

Missing parentheses around return value.

>  +}
>  +
>   SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall");
>  -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW,
>  -    &fw_enable, 0, "Enable ipfw");
>  -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO,one_pass,CTLFLAG_RW,
>  -    &fw_one_pass, 0,
>  +SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, enable, CTLTYPE_INT|CTLFLAG_RW,
>  +    &fw_enable, 0, sysctl_fw_securelevel_check, "I", "Enable ipfw");

Missing spaces around binary operator `|'.

>  +SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, one_pass, CTLTYPE_INT|CTLFLAG_RW,
>  +    &fw_one_pass, 0, sysctl_fw_securelevel_check, "I",

Many more of these.

>  @@ -173,30 +183,40 @@ static u_int32_t static_count = 0 ;	/* #
> ...
>  +SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, curr_dyn_buckets, CTLTYPE_INT|CTLFLAG_RD,
>  +    &curr_dyn_buckets, 0, sysctl_fw_securelevel_check, "IU",
>  +    "Current Number of dyn. buckets");

Also this and others with too-long lines.

Bruce


More information about the freebsd-bugs mailing list