ipf/ipnat check the securelevel in the original code, so don't do it twice.

Also remove uneeded definition of ICMP_UNREACH_FILTER_PROHIB; this isn't
needed. Why keep adding things to make diffs harder?

4 files changed, 6 insertions, 58 deletions

diff --git a/sys/netinet/ip_fil.c b/sys/netinet/ip_fil.c
index 97d595ce821..13477b1a109 100644
--- a/sys/netinet/ip_fil.c
+++ b/sys/netinet/ip_fil.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_fil.c,v 1.40 2001/01/30 04:23:55 kjell Exp $	*/
+/*	$OpenBSD: ip_fil.c,v 1.41 2001/02/06 17:29:30 fgsch Exp $	*/
 
 /*
  * Copyright (C) 1993-2000 by Darren Reed.
@@ -133,12 +133,7 @@ extern	int	tcp_ttl;
 # endif
 #endif
 
-# if defined (__OpenBSD__)
-int	ipl_unreach = ICMP_UNREACH_FILTER_PROHIB;
-# else
 int	ipl_unreach = ICMP_UNREACH_FILTER;
-# endif
-
 u_long	ipl_frouteok[2] = {0, 0};
 
 static	int	frzerostats __P((caddr_t));
@@ -488,34 +483,7 @@ int mode;
 	unit = GET_MINOR(dev);
 	if ((IPL_LOGMAX < unit) || (unit < 0))
 		return ENXIO;
-
-# if defined(__OpenBSD__)
-       	/* Prevent IPF changes when securelevel > 1 */
-	if (securelevel > 1) {
-		switch (cmd) {
-#  ifndef IPFILTER_LKM
-		case SIOCFRENB:
-#  endif
-		case SIOCSETFF:
-		case SIOCADAFR:
-		case SIOCADIFR:
-		case SIOCINAFR:
-		case SIOCINIFR:
-		case SIOCRMAFR:
-		case SIOCRMIFR:
-		case SIOCZRLST:
-		case SIOCSWAPA:
-		case SIOCFRZST:
-		case SIOCIPFFL:
-#  ifdef IPFILTER_LOG
-		case SIOCIPFFB:
-#  endif
-		case SIOCSTLCK:
-			return EPERM;
-		}
-	}
-# endif /* OpenBSD */
-#else /* _KERNEL */
+#else
 	unit = dev;
 #endif
 
diff --git a/sys/netinet/ip_fil.h b/sys/netinet/ip_fil.h
index 4e2a4c78ae8..ced4f4fbe79 100644
--- a/sys/netinet/ip_fil.h
+++ b/sys/netinet/ip_fil.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_fil.h,v 1.22 2001/01/30 04:23:56 kjell Exp $	*/
+/*	$OpenBSD: ip_fil.h,v 1.23 2001/02/06 17:29:30 fgsch Exp $	*/
 
 /*
  * Copyright (C) 1993-2000 by Darren Reed.
@@ -424,11 +424,9 @@ typedef	struct	ipflog	{
 } ipflog_t;
 
 
-#if !defined(__OpenBSD__)
 # ifndef	ICMP_UNREACH_FILTER
 #  define	ICMP_UNREACH_FILTER	13
 # endif
-#endif
 
 #ifndef	IPF_LOGGING
 # define	IPF_LOGGING	0
diff --git a/sys/netinet/ip_nat.c b/sys/netinet/ip_nat.c
index a92c042cbcd..615864dffcd 100644
--- a/sys/netinet/ip_nat.c
+++ b/sys/netinet/ip_nat.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_nat.c,v 1.38 2001/01/30 04:23:56 kjell Exp $	*/
+/*	$OpenBSD: ip_nat.c,v 1.39 2001/02/06 17:29:30 fgsch Exp $	*/
 
 /*
  * Copyright (C) 1995-2000 by Darren Reed.
@@ -426,24 +426,6 @@ int mode;
 	if ((securelevel >= 2) && (mode & FWRITE))
 		return EPERM;
 #endif
-#if defined(_KERNEL)
-# if defined(__OpenBSD__)
-       	/* Prevent IPNAT changes when securelevel > 1 */
-	if (securelevel > 1) {
-		switch (cmd) {
-		case SIOCIPFFL:
-#  ifdef IPFILTER_LOG
-		case SIOCIPFFB:
-#  endif
-		case SIOCADNAT:
-		case SIOCRMNAT:
-		case SIOCSTPUT:
-		case SIOCSTLCK:
-			return EPERM;
-		}
-	}
-# endif /* OpenBSD */
-#endif /* _KERNEL */
 
 	nat = NULL;     /* XXX gcc -Wuninitialized */
 	KMALLOC(nt, ipnat_t *);
diff --git a/sys/netinet/ip_state.h b/sys/netinet/ip_state.h
index 0f28639ffc2..f025ef00cff 100644
--- a/sys/netinet/ip_state.h
+++ b/sys/netinet/ip_state.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_state.h,v 1.17 2001/01/30 04:23:56 kjell Exp $	*/
+/*	$OpenBSD: ip_state.h,v 1.18 2001/02/06 17:29:31 fgsch Exp $	*/
 
 /*
  * Copyright (C) 1995-2000 by Darren Reed.
@@ -19,7 +19,7 @@
 # define	SIOCDELST	_IOW(r, 61, struct ipstate *)
 #endif
 
-#ifndef 	IPSTATE_SIZE
+#ifndef		IPSTATE_SIZE
 # define	IPSTATE_SIZE	5737
 #endif