Index: contrib/pf/net/pf.c =================================================================== RCS file: /usr/store/mlaier/fcvs/src/sys/contrib/pf/net/pf.c,v retrieving revision 1.19 diff -u -r1.19 pf.c --- contrib/pf/net/pf.c 11 Sep 2004 11:18:25 -0000 1.19 +++ contrib/pf/net/pf.c 23 Sep 2004 23:11:18 -0000 @@ -185,11 +185,19 @@ int pf_test_tcp(struct pf_rule **, struct pf_state **, int, struct pfi_kif *, struct mbuf *, int, void *, struct pf_pdesc *, struct pf_rule **, +#ifdef __FreeBSD__ + struct pf_ruleset **, struct inpcb *); +#else struct pf_ruleset **); +#endif int pf_test_udp(struct pf_rule **, struct pf_state **, int, struct pfi_kif *, struct mbuf *, int, void *, struct pf_pdesc *, struct pf_rule **, +#ifdef __FreeBSD__ + struct pf_ruleset **, struct inpcb *); +#else struct pf_ruleset **); +#endif int pf_test_icmp(struct pf_rule **, struct pf_state **, int, struct pfi_kif *, struct mbuf *, int, void *, struct pf_pdesc *, struct pf_rule **, @@ -229,8 +237,13 @@ struct ifnet *, struct pf_state *); void pf_route6(struct mbuf **, struct pf_rule *, int, struct ifnet *, struct pf_state *); +#ifdef __FreeBSD__ +int pf_socket_lookup(uid_t *, gid_t *, + int, struct pf_pdesc *, struct inpcb *); +#else int pf_socket_lookup(uid_t *, gid_t *, int, struct pf_pdesc *); +#endif u_int8_t pf_get_wscale(struct mbuf *, int, u_int16_t, sa_family_t); u_int16_t pf_get_mss(struct mbuf *, int, u_int16_t, @@ -2376,7 +2389,12 @@ } int +#ifdef __FreeBSD__ +pf_socket_lookup(uid_t *uid, gid_t *gid, int direction, struct pf_pdesc *pd, + struct inpcb *inp_arg) +#else pf_socket_lookup(uid_t *uid, gid_t *gid, int direction, struct pf_pdesc *pd) +#endif { struct pf_addr *saddr, *daddr; u_int16_t sport, dport; @@ -2387,6 +2405,13 @@ #endif struct inpcb *inp; +#ifdef __FreeBSD__ + if (inp_arg != NULL) { + *uid = inp_arg->inp_socket->so_cred->cr_uid; + *gid = inp_arg->inp_socket->so_cred->cr_groups[0]; + return (1); + } +#endif *uid = UID_MAX; *gid = GID_MAX; switch (pd->proto) { @@ -2663,7 +2688,12 @@ int pf_test_tcp(struct pf_rule **rm, struct pf_state **sm, int direction, struct pfi_kif *kif, struct mbuf *m, int off, void *h, +#ifdef __FreeBSD__ + struct pf_pdesc *pd, struct pf_rule **am, struct pf_ruleset **rsm, + struct inpcb *inp) +#else struct pf_pdesc *pd, struct pf_rule **am, struct pf_ruleset **rsm) +#endif { struct pf_rule *nr = NULL; struct pf_addr *saddr = pd->src, *daddr = pd->dst; @@ -2742,12 +2772,20 @@ else if ((r->flagset & th->th_flags) != r->flags) r = TAILQ_NEXT(r, entries); else if (r->uid.op && (lookup != -1 || (lookup = +#ifdef __FreeBSD__ + pf_socket_lookup(&uid, &gid, direction, pd, inp), 1)) && +#else pf_socket_lookup(&uid, &gid, direction, pd), 1)) && +#endif !pf_match_uid(r->uid.op, r->uid.uid[0], r->uid.uid[1], uid)) r = TAILQ_NEXT(r, entries); else if (r->gid.op && (lookup != -1 || (lookup = +#ifdef __FreeBSD__ + pf_socket_lookup(&uid, &gid, direction, pd, inp), 1)) && +#else pf_socket_lookup(&uid, &gid, direction, pd), 1)) && +#endif !pf_match_gid(r->gid.op, r->gid.gid[0], r->gid.gid[1], gid)) r = TAILQ_NEXT(r, entries); @@ -3023,7 +3061,12 @@ int pf_test_udp(struct pf_rule **rm, struct pf_state **sm, int direction, struct pfi_kif *kif, struct mbuf *m, int off, void *h, +#ifdef __FreeBSD__ + struct pf_pdesc *pd, struct pf_rule **am, struct pf_ruleset **rsm, + struct inpcb *inp) +#else struct pf_pdesc *pd, struct pf_rule **am, struct pf_ruleset **rsm) +#endif { struct pf_rule *nr = NULL; struct pf_addr *saddr = pd->src, *daddr = pd->dst; @@ -3099,12 +3142,20 @@ else if (r->rule_flag & PFRULE_FRAGMENT) r = TAILQ_NEXT(r, entries); else if (r->uid.op && (lookup != -1 || (lookup = +#ifdef __FreeBSD__ + pf_socket_lookup(&uid, &gid, direction, pd, inp), 1)) && +#else pf_socket_lookup(&uid, &gid, direction, pd), 1)) && +#endif !pf_match_uid(r->uid.op, r->uid.uid[0], r->uid.uid[1], uid)) r = TAILQ_NEXT(r, entries); else if (r->gid.op && (lookup != -1 || (lookup = +#ifdef __FreeBSD__ + pf_socket_lookup(&uid, &gid, direction, pd, inp), 1)) && +#else pf_socket_lookup(&uid, &gid, direction, pd), 1)) && +#endif !pf_match_gid(r->gid.op, r->gid.gid[0], r->gid.gid[1], gid)) r = TAILQ_NEXT(r, entries); @@ -5229,7 +5280,7 @@ if (oifp != ifp) { #ifdef __FreeBSD__ PF_UNLOCK(); - if (pf_test(PF_OUT, ifp, &m0) != PF_PASS) { + if (pf_test(PF_OUT, ifp, &m0, NULL) != PF_PASS) { PF_LOCK(); goto bad; } else if (m0 == NULL) { @@ -5519,7 +5570,7 @@ if (oifp != ifp) { #ifdef __FreeBSD__ PF_UNLOCK(); - if (pf_test6(PF_OUT, ifp, &m0) != PF_PASS) { + if (pf_test6(PF_OUT, ifp, &m0, NULL) != PF_PASS) { PF_LOCK(); goto bad; } else if (m0 == NULL) { @@ -5811,7 +5862,11 @@ #ifdef INET int +#ifdef __FreeBSD__ +pf_test(int dir, struct ifnet *ifp, struct mbuf **m0, struct inpcb *inp) +#else pf_test(int dir, struct ifnet *ifp, struct mbuf **m0) +#endif { struct pfi_kif *kif; u_short action, reason = 0, log = 0; @@ -5925,8 +5980,13 @@ a = s->anchor.ptr; log = s->log; } else if (s == NULL) +#ifdef __FreeBSD__ + action = pf_test_tcp(&r, &s, dir, kif, + m, off, h, &pd, &a, &ruleset, inp); +#else action = pf_test_tcp(&r, &s, dir, kif, m, off, h, &pd, &a, &ruleset); +#endif break; } @@ -5959,8 +6019,13 @@ a = s->anchor.ptr; log = s->log; } else if (s == NULL) +#ifdef __FreeBSD__ + action = pf_test_udp(&r, &s, dir, kif, + m, off, h, &pd, &a, &ruleset, inp); +#else action = pf_test_udp(&r, &s, dir, kif, m, off, h, &pd, &a, &ruleset); +#endif break; } @@ -6137,7 +6202,11 @@ #ifdef INET6 int +#ifdef __FreeBSD__ +pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, struct inpcb *inp) +#else pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0) +#endif { struct pfi_kif *kif; u_short action, reason = 0, log = 0; @@ -6274,8 +6343,13 @@ a = s->anchor.ptr; log = s->log; } else if (s == NULL) +#ifdef __FreeBSD__ + action = pf_test_tcp(&r, &s, dir, kif, + m, off, h, &pd, &a, &ruleset, inp); +#else action = pf_test_tcp(&r, &s, dir, kif, m, off, h, &pd, &a, &ruleset); +#endif break; } @@ -6308,8 +6382,13 @@ a = s->anchor.ptr; log = s->log; } else if (s == NULL) +#ifdef __FreeBSD__ + action = pf_test_udp(&r, &s, dir, kif, + m, off, h, &pd, &a, &ruleset, inp); +#else action = pf_test_udp(&r, &s, dir, kif, m, off, h, &pd, &a, &ruleset); +#endif break; } Index: contrib/pf/net/pf_ioctl.c =================================================================== RCS file: /usr/store/mlaier/fcvs/src/sys/contrib/pf/net/pf_ioctl.c,v retrieving revision 1.15 diff -u -r1.15 pf_ioctl.c --- contrib/pf/net/pf_ioctl.c 17 Sep 2004 02:15:05 -0000 1.15 +++ contrib/pf/net/pf_ioctl.c 23 Sep 2004 22:51:06 -0000 @@ -182,14 +182,14 @@ * Wrapper functions for pfil(9) hooks */ static int pf_check_in(void *arg, struct mbuf **m, struct ifnet *ifp, - int dir); + int dir, struct inpcb *inp); static int pf_check_out(void *arg, struct mbuf **m, struct ifnet *ifp, - int dir); + int dir, struct inpcb *inp); #ifdef INET6 static int pf_check6_in(void *arg, struct mbuf **m, struct ifnet *ifp, - int dir); + int dir, struct inpcb *inp); static int pf_check6_out(void *arg, struct mbuf **m, struct ifnet *ifp, - int dir); + int dir, struct inpcb *inp); #endif static int hook_pf(void); @@ -3203,7 +3203,8 @@ } static int -pf_check_in(void *arg, struct mbuf **m, struct ifnet *ifp, int dir) +pf_check_in(void *arg, struct mbuf **m, struct ifnet *ifp, int dir, + struct inpcb *inp) { /* * XXX Wed Jul 9 22:03:16 2003 UTC @@ -3222,7 +3223,7 @@ HTONS(h->ip_len); HTONS(h->ip_off); } - chk = pf_test(PF_IN, ifp, m); + chk = pf_test(PF_IN, ifp, m, inp); if (chk && *m) { m_freem(*m); *m = NULL; @@ -3237,7 +3238,8 @@ } static int -pf_check_out(void *arg, struct mbuf **m, struct ifnet *ifp, int dir) +pf_check_out(void *arg, struct mbuf **m, struct ifnet *ifp, int dir, + struct inpcb *inp) { /* * XXX Wed Jul 9 22:03:16 2003 UTC @@ -3261,7 +3263,7 @@ HTONS(h->ip_len); HTONS(h->ip_off); } - chk = pf_test(PF_OUT, ifp, m); + chk = pf_test(PF_OUT, ifp, m, inp); if (chk && *m) { m_freem(*m); *m = NULL; @@ -3277,14 +3279,15 @@ #ifdef INET6 static int -pf_check6_in(void *arg, struct mbuf **m, struct ifnet *ifp, int dir) +pf_check6_in(void *arg, struct mbuf **m, struct ifnet *ifp, int dir, + struct inpcb *inp) { /* * IPv6 does not affected ip_len/ip_off byte order changes. */ int chk; - chk = pf_test6(PF_IN, ifp, m); + chk = pf_test6(PF_IN, ifp, m, inp); if (chk && *m) { m_freem(*m); *m = NULL; @@ -3293,7 +3296,8 @@ } static int -pf_check6_out(void *arg, struct mbuf **m, struct ifnet *ifp, int dir) +pf_check6_out(void *arg, struct mbuf **m, struct ifnet *ifp, int dir, + struct inpcb *inp) { /* * IPv6 does not affected ip_len/ip_off byte order changes. @@ -3305,7 +3309,7 @@ in_delayed_cksum(*m); (*m)->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA; } - chk = pf_test6(PF_OUT, ifp, m); + chk = pf_test6(PF_OUT, ifp, m, inp); if (chk && *m) { m_freem(*m); *m = NULL; Index: contrib/pf/net/pfvar.h =================================================================== RCS file: /usr/store/mlaier/fcvs/src/sys/contrib/pf/net/pfvar.h,v retrieving revision 1.9 diff -u -r1.9 pfvar.h --- contrib/pf/net/pfvar.h 23 Sep 2004 12:44:40 -0000 1.9 +++ contrib/pf/net/pfvar.h 23 Sep 2004 23:16:30 -0000 @@ -54,6 +54,9 @@ #include struct ip; +#ifdef __FreeBSD__ +struct inpcb; +#endif #define PF_TCPS_PROXY_SRC ((TCP_NSTATES)+0) #define PF_TCPS_PROXY_DST ((TCP_NSTATES)+1) @@ -1453,11 +1456,19 @@ struct pf_rule *); #ifdef INET +#ifdef __FreeBSD__ +int pf_test(int, struct ifnet *, struct mbuf **, struct inpcb *); +#else int pf_test(int, struct ifnet *, struct mbuf **); +#endif #endif /* INET */ #ifdef INET6 +#ifdef __FreeBSD__ +int pf_test6(int, struct ifnet *, struct mbuf **, struct inpcb *); +#else int pf_test6(int, struct ifnet *, struct mbuf **); +#endif void pf_poolmask(struct pf_addr *, struct pf_addr*, struct pf_addr *, struct pf_addr *, u_int8_t); void pf_addr_inc(struct pf_addr *, sa_family_t);