svn commit: r302205 - projects/vnet/sys/contrib/ipfilter/netinet

Sat Jun 25 22:44:37 UTC 2016

Author: bz
Date: Sat Jun 25 22:44:36 2016
New Revision: 302205
URL: https://svnweb.freebsd.org/changeset/base/302205

Log:
  Cover all of the ioctl handler with a set vnet;  what was there from
  old days was not enough anymore.
  
  Also use curthread for read/write operations on the device, rather than
  the cache credentials;  things can move around and the cached ones might
  not be the right ones.
  
  Sponsored by:	The FreeBSD Foundation

Modified:
  projects/vnet/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c
  projects/vnet/sys/contrib/ipfilter/netinet/mlfk_ipl.c

Modified: projects/vnet/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c
==============================================================================

--- projects/vnet/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c	Sat Jun 25 22:24:16 2016	(r302204)
+++ projects/vnet/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c	Sat Jun 25 22:44:36 2016	(r302205)
@@ -298,10 +298,12 @@ ipfioctl(dev, cmd, data, mode
 	int error = 0, unit = 0;
 	SPL_INT(s);
 
+	CURVNET_SET(TD_TO_VNET(p));
 #if (BSD >= 199306)
         if (securelevel_ge(p->p_cred, 3) && (mode & FWRITE))
 	{
 		V_ipfmain.ipf_interror = 130001;
+		CURVNET_RESTORE();
 		return EPERM;
 	}
 #endif
@@ -309,12 +311,14 @@ ipfioctl(dev, cmd, data, mode
 	unit = GET_MINOR(dev);
 	if ((IPL_LOGMAX < unit) || (unit < 0)) {
 		V_ipfmain.ipf_interror = 130002;
+		CURVNET_RESTORE();
 		return ENXIO;
 	}
 
 	if (V_ipfmain.ipf_running <= 0) {
 		if (unit != IPL_LOGIPF && cmd != SIOCIPFINTERROR) {
 			V_ipfmain.ipf_interror = 130003;
+			CURVNET_RESTORE();
 			return EIO;
 		}
 		if (cmd != SIOCIPFGETNEXT && cmd != SIOCIPFGET &&
@@ -322,13 +326,13 @@ ipfioctl(dev, cmd, data, mode
 		    cmd != SIOCGETFS && cmd != SIOCGETFF &&
 		    cmd != SIOCIPFINTERROR) {
 			V_ipfmain.ipf_interror = 130004;
+			CURVNET_RESTORE();
 			return EIO;
 		}
 	}
 
 	SPL_NET(s);
 
-	CURVNET_SET(TD_TO_VNET(p));
 	error = ipf_ioctlswitch(&V_ipfmain, unit, data, cmd, mode, p->p_uid, p);
 	CURVNET_RESTORE();
 	if (error != -1) {

Modified: projects/vnet/sys/contrib/ipfilter/netinet/mlfk_ipl.c
==============================================================================
--- projects/vnet/sys/contrib/ipfilter/netinet/mlfk_ipl.c	Sat Jun 25 22:24:16 2016	(r302204)
+++ projects/vnet/sys/contrib/ipfilter/netinet/mlfk_ipl.c	Sat Jun 25 22:44:36 2016	(r302205)
@@ -513,7 +513,7 @@ static int ipfread(dev, uio)
 	if (unit < 0)
 		return ENXIO;
 
-	CURVNET_SET(CRED_TO_VNET(dev->si_cred));
+	CURVNET_SET(TD_TO_VNET(curthread));
 	if (V_ipfmain.ipf_running < 1) {
 		CURVNET_RESTORE();
 		return EIO;
@@ -556,7 +556,7 @@ static int ipfwrite(dev, uio)
 {
 	int error;
 
-	CURVNET_SET(CRED_TO_VNET(dev->si_cred));
+	CURVNET_SET(TD_TO_VNET(curthread));
 	if (V_ipfmain.ipf_running < 1) {
 		CURVNET_RESTORE();
 		return EIO;
