1. IP_FW_F_{UID,GID} are _not_ commands, they are extras. The sanity checking

for them does not belong in the IP_FW_F_COMMAND switch, that mask doesn't even apply to them(!). 2. You cannot add a uid/gid rule to something that isn't TCP, UDP, or IP. XXX - this should be handled in ipfw(8) as well (for more diagnostic output), but this at least protects bogus rules from being added. Pointy hat: green
2000-09-06 03:10:42 +00:00 · 2000-09-06 03:10:42 +00:00 · 4897e8320e
commit 4897e8320e
parent 9548091b84
1 changed files with 7 additions and 2 deletions
--- a/sys/netinet/ip_fw.c
+++ b/sys/netinet/ip_fw.c
@ -1719,6 +1719,13 @@ check_ipfw_struct(struct ip_fw *frwl)
 		}
 	}

+	if (frwl->fw_flg & (IP_FW_F_UID | IP_FW_F_GID)) {
+		if (frwl->fw_prot != (IPPROTO_TCP | IPPROTO_UDP | IPPROTO_IP)) {
+			dprintf(("%s cannot use uid/gid logic on non-TCP/UDP\n", err_prefix));
+			return (EINVAL);
+		}
+	}
+
 	/* Check command specific stuff */
 	switch (frwl->fw_flg & IP_FW_F_COMMAND)
 	{
@ -1752,8 +1759,6 @@ check_ipfw_struct(struct ip_fw *frwl)
 #ifdef IPFIREWALL_FORWARD
 	case IP_FW_F_FWD:
 #endif
-	case IP_FW_F_UID:
-	case IP_FW_F_GID:
 		break;
 	default:
 		dprintf(("%s invalid command\n", err_prefix));