summaryrefslogtreecommitdiff
path: root/sys
diff options
context:
space:
mode:
authorHugh Graham <hugh@cvs.openbsd.org>2001-06-28 10:04:20 +0000
committerHugh Graham <hugh@cvs.openbsd.org>2001-06-28 10:04:20 +0000
commit78e870a58e793558d3ced911a66776ab8e38ed5d (patch)
tree6ba0a01f433358342431c3ee29bd09fdd5b4beee /sys
parent2fd17782699a82d1e1f6c581dcd57f29c20b7af9 (diff)
Disallow filter modification when the system is "highly secure".
Passed by dhartmei.
Diffstat (limited to 'sys')
-rw-r--r--sys/net/pf.c19
1 files changed, 18 insertions, 1 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c
index d623a33e4d7..a8c16aa6f40 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf.c,v 1.81 2001/06/27 22:41:25 dhartmei Exp $ */
+/* $OpenBSD: pf.c,v 1.82 2001/06/28 10:04:19 hugh Exp $ */
/*
* Copyright (c) 2001, Daniel Hartmeier
@@ -581,6 +581,23 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
if (!(flags & FWRITE))
return (EACCES);
+ if (securelevel > 1)
+ switch (cmd) {
+ case DIOCSTART:
+ case DIOCSTOP:
+ case DIOCBEGINRULES:
+ case DIOCADDRULE:
+ case DIOCCOMMITRULES:
+ case DIOCBEGINNATS:
+ case DIOCADDNAT:
+ case DIOCCOMMITNATS:
+ case DIOCBEGINRDRS:
+ case DIOCADDRDR:
+ case DIOCCOMMITRDRS:
+ case DIOCCLRSTATES:
+ return EPERM;
+ }
+
switch (cmd) {
case DIOCSTART: