diff options
| author | kstailey <kstailey@cvs.openbsd.org> | 1997-12-03 01:25:33 +0000 |
|---|---|---|
| committer | kstailey <kstailey@cvs.openbsd.org> | 1997-12-03 01:25:33 +0000 |
| commit | 600477a0b0b78aeded717538f05df29039a4c6b0 (patch) | |
| tree | 17a51b4ec1a05f64c2c02837d7c974e2fc148604 /sys/netinet | |
| parent | 24f0f18aee9671cef8f7ebda56303c67bb93ecd0 (diff) | |
Prevent IPF and NAT configuration changes when securelevel > 1.
Diffstat (limited to 'sys/netinet')
| -rw-r--r-- | sys/netinet/ip_fil.c | 29 |
1 files changed, 28 insertions, 1 deletions
diff --git a/sys/netinet/ip_fil.c b/sys/netinet/ip_fil.c index 1de368d9bfe..6e90df072bb 100644 --- a/sys/netinet/ip_fil.c +++ b/sys/netinet/ip_fil.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_fil.c,v 1.14 1997/06/23 19:03:48 kstailey Exp $ */ +/* $OpenBSD: ip_fil.c,v 1.15 1997/12/03 01:25:32 kstailey Exp $ */ /* * (C)opyright 1993,1994,1995 by Darren Reed. * @@ -281,6 +281,33 @@ iplioctl(dev, cmd, data, mode if (unit != 0) return ENXIO; + if (securelevel > 1) { + switch (cmd) { +#ifndef IPFILTER_LKM + case SIOCFRENB: +#endif + case SIOCSETFF: + case SIOCADAFR: + case SIOCADIFR: + case SIOCINAFR: + case SIOCINIFR: + case SIOCRMAFR: + case SIOCRMIFR: + case SIOCZRLST: + case SIOCSWAPA: + case SIOCFRZST: + case SIOCIPFFL: +#ifdef IPFILTER_LOG + case SIOCIPFFB: +#endif + case SIOCADNAT: + case SIOCRMNAT: + case SIOCFLNAT: + case SIOCCNATL: + return EPERM; + } + } + SPLNET(s); switch (cmd) { case FIONREAD : |