ipfw: fix jail option after r348215

r348215 changed jail_getid(3) to validate passed-in jids as active jails (as the function is documented to return -1 if the jail does not exist). This broke the jail option (in some cases?) as the jail historically hasn't needed to exist at the time of rule parsing; jids will get stored and later applied. Fix this caller to attempt to parse *av as a number first and just use it as-is to match historical behavior. jail_getid(3) must still be used in order for name arguments to work, but it's strictly a fallback in case we weren't given a number. Reported and tested by: Ari Suutari <ari stonepile fi> Reviewed by: ae MFC after: 3 days Differential Revision: https://reviews.freebsd.org/D21128
2019-08-05 00:08:25 +00:00 · 2019-08-05 00:08:25 +00:00 · a67e053e2b
commit a67e053e2b
parent b571393ab3
1 changed files with 18 additions and 3 deletions
--- a/sbin/ipfw/ipfw2.c
+++ b/sbin/ipfw/ipfw2.c
@ -4674,12 +4674,27 @@ compile_rule(char *av[], uint32_t *rbuf, int *rbufsize, struct tidx *tstate)
 		case TOK_JAIL:
 			NEED1("jail requires argument");
 		    {
+			char *end;
 			int jid;

 			cmd->opcode = O_JAIL;
-			jid = jail_getid(*av);
-			if (jid < 0)
-				errx(EX_DATAERR, "%s", jail_errmsg);
+			/*
+			 * If av is a number, then we'll just pass it as-is.  If
+			 * it's a name, try to resolve that to a jid.
+			 *
+			 * We save the jail_getid(3) call for a fallback because
+			 * it entails an unconditional trip to the kernel to
+			 * either validate a jid or resolve a name to a jid.
+			 * This specific token doesn't currently require a
+			 * jid to be an active jail, so we save a transition
+			 * by simply using a number that we're given.
+			 */
+			jid = strtoul(*av, &end, 10);
+			if (*end != '\0') {
+				jid = jail_getid(*av);
+				if (jid < 0)
+				    errx(EX_DATAERR, "%s", jail_errmsg);
+			}
 			cmd32->d[0] = (uint32_t)jid;
 			cmd->len |= F_INSN_SIZE(ipfw_insn_u32);
 			av++;