From nobody@FreeBSD.org  Thu May 24 06:56:11 2001
Return-Path: <nobody@FreeBSD.org>
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id B29DB37B422
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 24 May 2001 06:56:10 -0700 (PDT)
	(envelope-from nobody@FreeBSD.org)
Received: (from nobody@localhost)
	by freefall.freebsd.org (8.11.1/8.11.1) id f4ODuAp66088;
	Thu, 24 May 2001 06:56:10 -0700 (PDT)
	(envelope-from nobody)
Message-Id: <200105241356.f4ODuAp66088@freefall.freebsd.org>
Date: Thu, 24 May 2001 06:56:10 -0700 (PDT)
From: andria@tovaris.com
To: freebsd-gnats-submit@FreeBSD.org
Subject: ipf restricts rule-changing at securelevel 2
X-Send-Pr-Version: www-1.0

>Number:         27615
>Category:       kern
>Synopsis:       ipf restricts rule-changing at securelevel 2
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    darrenr
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu May 24 07:00:01 PDT 2001
>Closed-Date:    Mon Feb 4 06:31:24 PST 2002
>Last-Modified:  Mon Feb 04 06:31:42 PST 2002
>Originator:     Andria Thomas
>Release:        4.3-STABLE
>Organization:
Tovaris
>Environment:
FreeBSD fw.intranet 4.3-STABLE FreeBSD 4.3-STABLE #1: Wed May 23 09:45:59 EDT 2001     root@fw.intranet:/data/obj/data/src/sys/FW  i386

>Description:
According to the 'init' manpage, running at securelevel 2 should still
allow the flushing/changing of ipf/ipnat rules.  This is true for ipfw,
but is not true for ipf.
>How-To-Repeat:
Run a firewall at securelevel 2 and try to flush/change your ipf or 
ipnat rules.
>Fix:
There are only two references to securelevel in the ip-filter code.
They should be changed from 'securelevel >= 2' to 'securelevel >=3'.

*** ip_fil.c    Wed May 23 09:39:37 2001
--- ip_fil.c.orig       Wed May 23 09:39:12 2001
***************
*** 461,465 ****
  
  #if (BSD >= 199306) && defined(_KERNEL)
!       if ((securelevel >= 3) && (mode & FWRITE))
                return EPERM;
  #endif
--- 461,465 ----
  
  #if (BSD >= 199306) && defined(_KERNEL)
!       if ((securelevel >= 2) && (mode & FWRITE))
                return EPERM;
  #endif
-----------------------------------------------------------
*** ip_nat.c    Wed May 23 09:39:50 2001
--- ip_nat.c.orig       Wed May 23 09:39:19 2001
***************
*** 428,432 ****
  
  #if (BSD >= 199306) && defined(_KERNEL)
!       if ((securelevel >= 3) && (mode & FWRITE))
                return EPERM;
  #endif
--- 428,432 ----
  
  #if (BSD >= 199306) && defined(_KERNEL)
!       if ((securelevel >= 2) && (mode & FWRITE))
                return EPERM;
  #endif

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->darrenr 
Responsible-Changed-By: dwmalone 
Responsible-Changed-When: Thu May 24 07:24:09 PDT 2001 
Responsible-Changed-Why:  
Darren is the ipf man. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=27615 

From: Adrian Filipi-Martin <adrian@ubergeeks.com>
To: <freebsd-gnats-submit@FreeBSD.org>
Cc: <andria@tovaris.com>
Subject: Re: kern/27615: ipf restricts rule-changing at securelevel 2
Date: Sun, 7 Oct 2001 21:58:55 -0400 (EDT)

   This message is in MIME format.  The first part should be readable text,
   while the remaining parts are likely unreadable without MIME-aware tools.
   Send mail to mime@docserver.cac.washington.edu for more info.
 
 --0-899712921-1002506335=:45907
 Content-Type: TEXT/PLAIN; charset=US-ASCII
 
 Hi folks,
 
 	These patches seemed to have expanded tabs in them which made them
 fail to apply cleanly.  Attached are ones that work relative to
 4.4-RELEASE.  ipfilter does indeed mark its rules immutable at level 2,
 where as ipfw does the same thing at level 3.  Both firewall technologies
 ought to be consistent.
 
 	Adrian
 --
 [ adrian@ubergeeks.com ]
 
 --0-899712921-1002506335=:45907
 Content-Type: TEXT/PLAIN; charset=US-ASCII; name="pr27615.new"
 Content-Transfer-Encoding: BASE64
 Content-ID: <20011007215855.L45907@lorax.ubergeeks.com>
 Content-Description: updated patches
 Content-Disposition: attachment; filename="pr27615.new"
 
 LS0tIGlwX2ZpbC5jLm9yaWcJVGh1IEF1ZyAgMiAxNjo0NDowMiAyMDAxDQor
 KysgaXBfZmlsLmMJU3VuIE9jdCAgNyAyMDozNDoyMyAyMDAxDQpAQCAtNDg3
 LDcgKzQ4Nyw3IEBADQogCWludCBlcnJvciA9IDAsIHVuaXQgPSAwLCB0bXA7
 DQogDQogI2lmIChCU0QgPj0gMTk5MzA2KSAmJiBkZWZpbmVkKF9LRVJORUwp
 DQotCWlmICgoc2VjdXJlbGV2ZWwgPj0gMikgJiYgKG1vZGUgJiBGV1JJVEUp
 KQ0KKwlpZiAoKHNlY3VyZWxldmVsID49IDMpICYmIChtb2RlICYgRldSSVRF
 KSkNCiAJCXJldHVybiBFUEVSTTsNCiAjZW5kaWYNCiAjaWZkZWYJX0tFUk5F
 TA0KLS0tIGlwX25hdC5jLm9yaWcJU3VuIE9jdCAgNyAyMDoyODowNiAyMDAx
 DQorKysgaXBfbmF0LmMJU3VuIE9jdCAgNyAyMDozNzo1NCAyMDAxDQpAQCAt
 NDMwLDcgKzQzMCw3IEBADQogCXVfMzJfdCBpLCBqOw0KIA0KICNpZiAoQlNE
 ID49IDE5OTMwNikgJiYgZGVmaW5lZChfS0VSTkVMKQ0KLQlpZiAoKHNlY3Vy
 ZWxldmVsID49IDIpICYmIChtb2RlICYgRldSSVRFKSkNCisJaWYgKChzZWN1
 cmVsZXZlbCA+PSAzKSAmJiAobW9kZSAmIEZXUklURSkpDQogCQlyZXR1cm4g
 RVBFUk07DQogI2VuZGlmDQogDQo=
 --0-899712921-1002506335=:45907--
State-Changed-From-To: open->closed 
State-Changed-By: darrenr 
State-Changed-When: Mon Feb 4 06:31:24 PST 2002 
State-Changed-Why:  
patch added to -current and -stable 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=27615 
>Unformatted:
