From 3a27af0dd4fc70896bd0f2a24d0b5dc022ac7172 Mon Sep 17 00:00:00 2001 From: "Christian S.J. Peron" Date: Sat, 11 Sep 2004 19:44:29 +0000 Subject: [PATCH] Currently when ipfw(8) generates the micro-instructions for rules which contain O_UID, O_GID and O_JAIL opcodes, the F_NOT or F_OR logical operator bits get clobbered. Making it impossible to use the ``NOT'' or ``OR'' operators with uid, gid and jail based constraints. The ipfw_insn instruction template contains a ``len'' element which stores two pieces of information, the size of the instruction (in 32-bit words) in the low 6 bits of "len" with the 2 remaining bits to implement OR and NOT. The current code clobbers the OR and NOT bits by initializing the ``len'' element to the size, rather than OR'ing the bits. This change fixes this by changing the initialization of cmd->len to an OR operation for the O_UID, O_GID and O_JAIL opcodes. This may be a MFC candidate for RELENG_5. Reviewed by: andre Approved by: luigi PR: kern/63961 (partially) --- sbin/ipfw/ipfw2.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/sbin/ipfw/ipfw2.c b/sbin/ipfw/ipfw2.c index c7ccfd5bd9c1..4d7c535f60d2 100644 --- a/sbin/ipfw/ipfw2.c +++ b/sbin/ipfw/ipfw2.c @@ -3296,7 +3296,7 @@ add(int ac, char *av[]) if (pwd == NULL) errx(EX_DATAERR, "uid \"%s\" nonexistent", *av); cmd32->d[0] = pwd->pw_uid; - cmd->len = F_INSN_SIZE(ipfw_insn_u32); + cmd->len |= F_INSN_SIZE(ipfw_insn_u32); ac--; av++; } break; @@ -3314,7 +3314,7 @@ add(int ac, char *av[]) if (grp == NULL) errx(EX_DATAERR, "gid \"%s\" nonexistent", *av); cmd32->d[0] = grp->gr_gid; - cmd->len = F_INSN_SIZE(ipfw_insn_u32); + cmd->len |= F_INSN_SIZE(ipfw_insn_u32); ac--; av++; } break; @@ -3330,7 +3330,7 @@ add(int ac, char *av[]) if (jid < 0 || *end != '\0') errx(EX_DATAERR, "jail requires prison ID"); cmd32->d[0] = (unsigned int)jid; - cmd->len = F_INSN_SIZE(ipfw_insn_u32); + cmd->len |= F_INSN_SIZE(ipfw_insn_u32); ac--; av++; } break;