7845ea0d16
Description: - A BSD pseudo-device initialization routine is declared as void <pseudo-device name>attach __P((int count)); in ioconf.c by config(8). main() calls these functions from a table. - IP Filter has functions iplattach() and ipldetach() (or, in the NetBSD case, were erroneously renamed ipfilterattach() and ipfilterdetach()). These functions are used to establish and disestablish the IP Filter "filter rule check" hook in the IP input/output stream. They are declared: int iplattach __P((void)); int ipldetach __P((void)); ..and are expected to return a value by iplioctl(). - When main() calls (by sheer coincidence!) iplattach(), the filter hook is established, and the IP Filter machinery labeled as "initialized". This causes all packets, whether or not the user intents to use filter rules, to be passed to the filter rule checker if "ipfilter" is configured into the kernel. - As a result of the above, a kludge existed to default to passing all packets (I can only assume that when this was originally committed, the symptom of the bug was noticed by the integrator, but the bug not actually found/fixed). - In iplioctl(), if the SIOCFRENB ioctl is issued with an argument of "enable" (i.e. user executed "ipf -E"), iplattach() will notice that the machinery is already initialized and return EBUSY. Fix: - Rename iplattach()/ipldetach() to ipl_enable() and ipl_disable(). - Create a pseudo-device entry stub named ipfilterattach() (NetBSD case) or iplattach() (all other). This is a noop; none of the machinery should be initialized until the caller expicitly enables the filter with ipf -E. Add a comment to note that. |
||
|---|---|---|
| bin | ||
| distrib | ||
| etc | ||
| games | ||
| gnu | ||
| include | ||
| lib | ||
| libexec | ||
| regress | ||
| sbin | ||
| share | ||
| sys | ||
| usr.bin | ||
| usr.sbin | ||
| Makefile | ||