kern/91082: ipfilter rule changes fail in securelevel 2
chris at chrullrich.de
Thu Dec 29 22:50:04 PST 2005
>Synopsis: ipfilter rule changes fail in securelevel 2
>Arrival-Date: Fri Dec 30 06:50:01 GMT 2005
>Originator: Christian Ullrich
FreeBSD legolas.chrullrich.de 6.0-STABLE FreeBSD 6.0-STABLE #0: Wed Dec 28 19:11:05 CET 2005 root at wt.chrullrich.de:/usr/obj/usr/src/sys/LEGOLAS i386
On FreeBSD 6.0, modifying ipfilter rule sets is disallowed in any securelevel >= 2. This behavior differs from earlier releases, the init(8) man page, and the requirements for changing ipnat rules, which are allowed up to securelevel 2.
Release 3 of ipfilter initially required securelevel < 2 for rule changes as well, which was changed in revision 1.28 of src/sys/contrib/ipfilter/netinet/ip_fil.c, back in 2002.
In FreeBSD 6, ipfilter 3 has been replaced by release 4, which, again, requires the lower securelevel. As noted above, that applies only to changes to filtering rules, not NAT rules.
In securelevel 2, run anything which will change ipf filter rules.
--- sys/contrib/ipfilter/netinet/ip_fil_freebsd.c.orig Fri Dec 30 07:40:18 2005
+++ sys/contrib/ipfilter/netinet/ip_fil_freebsd.c Fri Dec 30 07:40:40 2005
@@ -421,7 +421,7 @@
#if (BSD >= 199306) && defined(_KERNEL)
- if ((securelevel >= 2) && (mode & FWRITE))
+ if ((securelevel >= 3) && (mode & FWRITE))
More information about the freebsd-bugs