summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorkstailey <kstailey@cvs.openbsd.org>1997-12-03 01:25:33 +0000
committerkstailey <kstailey@cvs.openbsd.org>1997-12-03 01:25:33 +0000
commit600477a0b0b78aeded717538f05df29039a4c6b0 (patch)
tree17a51b4ec1a05f64c2c02837d7c974e2fc148604
parent24f0f18aee9671cef8f7ebda56303c67bb93ecd0 (diff)
Prevent IPF and NAT configuration changes when securelevel > 1.
-rw-r--r--sys/netinet/ip_fil.c29
1 files changed, 28 insertions, 1 deletions
diff --git a/sys/netinet/ip_fil.c b/sys/netinet/ip_fil.c
index 1de368d9bfe..6e90df072bb 100644
--- a/sys/netinet/ip_fil.c
+++ b/sys/netinet/ip_fil.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_fil.c,v 1.14 1997/06/23 19:03:48 kstailey Exp $ */
+/* $OpenBSD: ip_fil.c,v 1.15 1997/12/03 01:25:32 kstailey Exp $ */
/*
* (C)opyright 1993,1994,1995 by Darren Reed.
*
@@ -281,6 +281,33 @@ iplioctl(dev, cmd, data, mode
if (unit != 0)
return ENXIO;
+ if (securelevel > 1) {
+ switch (cmd) {
+#ifndef IPFILTER_LKM
+ case SIOCFRENB:
+#endif
+ case SIOCSETFF:
+ case SIOCADAFR:
+ case SIOCADIFR:
+ case SIOCINAFR:
+ case SIOCINIFR:
+ case SIOCRMAFR:
+ case SIOCRMIFR:
+ case SIOCZRLST:
+ case SIOCSWAPA:
+ case SIOCFRZST:
+ case SIOCIPFFL:
+#ifdef IPFILTER_LOG
+ case SIOCIPFFB:
+#endif
+ case SIOCADNAT:
+ case SIOCRMNAT:
+ case SIOCFLNAT:
+ case SIOCCNATL:
+ return EPERM;
+ }
+ }
+
SPLNET(s);
switch (cmd) {
case FIONREAD :