freebsd-dev/sys/netinet
Christian S.J. Peron 31c88a3043 Add the ability to associate ipfw rules with a specific prison ID.
Since the only thing truly unique about a prison is it's ID, I figured
this would be the most granular way of handling this.

This commit makes the following changes:

- Adds tokenizing and parsing for the ``jail'' command line option
  to the ipfw(8) userspace utility.
- Append the ipfw opcode list with O_JAIL.
- While Iam here, add a comment informing others that if they
  want to add additional opcodes, they should append them to the end
  of the list to avoid ABI breakage.
- Add ``fw_prid'' to the ipfw ucred cache structure.
- When initializing ucred cache, if the process is jailed,
  set fw_prid to the prison ID, otherwise set it to -1.
- Update man page to reflect these changes.

This change was a strong motivator behind the ucred caching
mechanism in ipfw.

A sample usage of this new functionality could be:

    ipfw add count ip from any to any jail 2

It should be noted that because ucred based constraints
are only implemented for TCP and UDP packets, the same
applies for jail associations.

Conceptual head nod by:	pjd
Reviewed by:	rwatson
Approved by:	bmilekic (mentor)
2004-08-12 22:06:55 +00:00
..
libalias Fix Skinny and PPTP NAT'ing after the introduction of the {ip,tcp,udp}_next 2004-08-04 15:17:08 +00:00
accf_data.c add missing #include <sys/module.h> 2004-05-30 20:27:19 +00:00
accf_http.c The socket field so_state is used to hold a variety of socket related 2004-06-14 18:16:22 +00:00
icmp6.h Remove advertising clause from University of California Regent's 2004-04-07 20:46:16 +00:00
icmp_var.h Remove advertising clause from University of California Regent's 2004-04-07 20:46:16 +00:00
if_atm.c replace explicit changes to rt_refcnt by RT_ADDREF and RT_REMREF 2003-11-08 23:36:32 +00:00
if_atm.h
if_ether.c Add a new driver to support IP over firewire. This driver is intended to 2004-06-13 10:54:36 +00:00
if_ether.h Remove advertising clause from University of California Regent's 2004-04-07 20:46:16 +00:00
igmp_var.h Remove advertising clause from University of California Regent's 2004-04-07 20:46:16 +00:00
igmp.c Lock down parallel router_info list for tracking multicast IGMP 2004-06-11 03:42:37 +00:00
igmp.h Remove advertising clause from University of California Regent's 2004-04-07 20:46:16 +00:00
in_cksum.c Remove advertising clause from University of California Regent's 2004-04-07 20:46:16 +00:00
in_gif.c Ensure that dst is bzeroed before calling rtalloc_ign(), to avoid possible 2004-06-18 02:04:07 +00:00
in_gif.h - fix typo in comment. 2003-10-07 17:46:18 +00:00
in_pcb.c Assert the locks of inpcbinfo's and inpcb's passed into in_pcbconnect() 2004-08-11 04:35:20 +00:00
in_pcb.h Now that IPv6 performs basic in6pcb and inpcb locking, enable inpcb 2004-08-04 18:27:55 +00:00
in_proto.c Commit pf version 3.5 and link additional files to the kernel build. 2004-06-16 23:24:02 +00:00
in_rmx.c Introduce tcp_hostcache and remove the tcp specific metrics from 2003-11-20 20:07:39 +00:00
in_systm.h Remove advertising clause from University of California Regent's 2004-04-07 20:46:16 +00:00
in_var.h Remove advertising clause from University of California Regent's 2004-04-07 20:46:16 +00:00
in.c Add the function in_localip() which returns 1 if an internet address is for 2004-08-11 11:49:48 +00:00
in.h Add the function in_localip() which returns 1 if an internet address is for 2004-08-11 11:49:48 +00:00
ip6.h Remove advertising clause from University of California Regent's 2004-04-07 20:46:16 +00:00
ip_divert.c Backout removal of UMA_ZONE_NOFREE flag for all zones which are established 2004-08-11 20:30:08 +00:00
ip_divert.h Re-remove MT_TAGs. The problems with dummynet have been fixed now. 2004-02-25 19:55:29 +00:00
ip_dummynet.c Do a pass over all modules in the kernel and make them return EOPNOTSUPP 2004-07-15 08:26:07 +00:00
ip_dummynet.h Re-remove MT_TAGs. The problems with dummynet have been fixed now. 2004-02-25 19:55:29 +00:00
ip_ecn.c add ECN support in layer-3. 2003-10-29 15:07:04 +00:00
ip_ecn.h add ECN support in layer-3. 2003-10-29 15:07:04 +00:00
ip_encap.c Lock down IP-layer encapsulation library: 2004-03-10 02:48:50 +00:00
ip_encap.h
ip_fastfwd.c Make use of in_localip() function and replace previous direct LIST_FOREACH 2004-08-11 12:32:10 +00:00
ip_fw2.c Add the ability to associate ipfw rules with a specific prison ID. 2004-08-12 22:06:55 +00:00
ip_fw.h Add the ability to associate ipfw rules with a specific prison ID. 2004-08-12 22:06:55 +00:00
ip_gre.c Lock down global variables in if_gre: 2004-03-22 16:04:43 +00:00
ip_gre.h
ip_icmp.c Define semantic of M_SKIP_FIREWALL more precisely, i.e. also pass associated 2004-07-17 05:10:06 +00:00
ip_icmp.h Remove advertising clause from University of California Regent's 2004-04-07 20:46:16 +00:00
ip_id.c Tweak existing header and other build infrastructure to be able to build 2004-02-26 03:53:54 +00:00
ip_input.c Fix two cases of incorrect IPQ_UNLOCK'ing in the merged ip_reass() function. 2004-08-12 08:37:42 +00:00
ip_mroute.c Fix bug with tracking the previous element in a list. 2004-08-03 02:01:44 +00:00
ip_mroute.h Remove advertising clause from University of California Regent's 2004-04-07 20:46:16 +00:00
ip_output.c Consistently use NULL for pointer comparisons. 2004-08-11 10:46:15 +00:00
ip_var.h Provide the sysctl net.inet.ip.process_options to control the processing 2004-05-06 18:46:03 +00:00
ip.h Remove advertising clause from University of California Regent's 2004-04-07 20:46:16 +00:00
ipprotosw.h Remove advertising clause from University of California Regent's 2004-04-07 20:46:16 +00:00
pim_var.h New PIM header files. 2003-08-07 18:17:43 +00:00
pim.h Include <sys/types.h> for autoconf/automake detection. 2004-03-08 07:45:32 +00:00
raw_ip.c Backout removal of UMA_ZONE_NOFREE flag for all zones which are established 2004-08-11 20:30:08 +00:00
tcp_debug.c Remove advertising clause from University of California Regent's 2004-04-07 20:46:16 +00:00
tcp_debug.h Remove advertising clause from University of California Regent's 2004-04-07 20:46:16 +00:00
tcp_fsm.h Remove advertising clause from University of California Regent's 2004-04-07 20:46:16 +00:00
tcp_hostcache.c Remove the UMA_ZONE_NOFREE flag to all uma_zcreate() calls in the IP and 2004-08-11 17:08:31 +00:00
tcp_input.c After each label in tcp_input(), assert the inpcbinfo and inpcb lock 2004-07-12 19:28:07 +00:00
tcp_output.c Fix a bug in the sack code that was causing data to be retransmitted 2004-07-28 02:15:14 +00:00
tcp_reass.c After each label in tcp_input(), assert the inpcbinfo and inpcb lock 2004-07-12 19:28:07 +00:00
tcp_sack.c Add support for TCP Selective Acknowledgements. The work for this 2004-06-23 21:04:37 +00:00
tcp_seq.h Add support for TCP Selective Acknowledgements. The work for this 2004-06-23 21:04:37 +00:00
tcp_subr.c In tcp6_ctlinput, lock tcbinfo around the call to syncache_unreach 2004-08-12 18:19:36 +00:00
tcp_syncache.c Backout removal of UMA_ZONE_NOFREE flag for all zones which are established 2004-08-11 20:30:08 +00:00
tcp_timer.c Add support for TCP Selective Acknowledgements. The work for this 2004-06-23 21:04:37 +00:00
tcp_timer.h Remove advertising clause from University of California Regent's 2004-04-07 20:46:16 +00:00
tcp_timewait.c In tcp6_ctlinput, lock tcbinfo around the call to syncache_unreach 2004-08-12 18:19:36 +00:00
tcp_usrreq.c compare pointer against NULL, not 0 2004-07-26 21:29:56 +00:00
tcp_var.h The tcp syncache code was leaving the IPv6 flowlabel uninitialised 2004-07-17 19:44:13 +00:00
tcp.h Add support for TCP Selective Acknowledgements. The work for this 2004-06-23 21:04:37 +00:00
tcpip.h Remove advertising clause from University of California Regent's 2004-04-07 20:46:16 +00:00
udp_usrreq.c When udp_send() fails, make sure to free the control mbufs as well as 2004-08-12 01:34:27 +00:00
udp_var.h Remove advertising clause from University of California Regent's 2004-04-07 20:46:16 +00:00
udp.h Remove advertising clause from University of California Regent's 2004-04-07 20:46:16 +00:00