kern/91082: ipfilter rule changes fail in securelevel 2

Christian Ullrich chris at chrullrich.de
Thu Dec 29 22:50:04 PST 2005


>Number:         91082
>Category:       kern
>Synopsis:       ipfilter rule changes fail in securelevel 2
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Dec 30 06:50:01 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     Christian Ullrich
>Release:        6.0-STABLE
>Organization:
>Environment:
FreeBSD legolas.chrullrich.de 6.0-STABLE FreeBSD 6.0-STABLE #0: Wed Dec 28 19:11:05 CET 2005     root at wt.chrullrich.de:/usr/obj/usr/src/sys/LEGOLAS  i386
>Description:
On FreeBSD 6.0, modifying ipfilter rule sets is disallowed in any securelevel >= 2. This behavior differs from earlier releases, the init(8) man page, and the requirements for changing ipnat rules, which are allowed up to securelevel 2.

Release 3 of ipfilter initially required securelevel < 2 for rule changes as well, which was changed in revision 1.28 of src/sys/contrib/ipfilter/netinet/ip_fil.c, back in 2002.

In FreeBSD 6, ipfilter 3 has been replaced by release 4, which, again, requires the lower securelevel. As noted above, that applies only to changes to filtering rules, not NAT rules.
>How-To-Repeat:
In securelevel 2, run anything which will change ipf filter rules.
>Fix:
--- sys/contrib/ipfilter/netinet/ip_fil_freebsd.c.orig  Fri Dec 30 07:40:18 2005
+++ sys/contrib/ipfilter/netinet/ip_fil_freebsd.c       Fri Dec 30 07:40:40 2005
@@ -421,7 +421,7 @@
        friostat_t fio;

 #if (BSD >= 199306) && defined(_KERNEL)
-       if ((securelevel >= 2) && (mode & FWRITE))
+       if ((securelevel >= 3) && (mode & FWRITE))
                return EPERM;
 #endif

>Release-Note:
>Audit-Trail:
>Unformatted:


More information about the freebsd-bugs mailing list