d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
6661aed38d
freebsd-skq/sys
History
csjp 6661aed38d Add the ability to associate ipfw rules with a specific prison ID. 
Since the only thing truly unique about a prison is it's ID, I figured
this would be the most granular way of handling this.

This commit makes the following changes:

- Adds tokenizing and parsing for the ``jail'' command line option
  to the ipfw(8) userspace utility.
- Append the ipfw opcode list with O_JAIL.
- While Iam here, add a comment informing others that if they
  want to add additional opcodes, they should append them to the end
  of the list to avoid ABI breakage.
- Add ``fw_prid'' to the ipfw ucred cache structure.
- When initializing ucred cache, if the process is jailed,
  set fw_prid to the prison ID, otherwise set it to -1.
- Update man page to reflect these changes.

This change was a strong motivator behind the ucred caching
mechanism in ipfw.

A sample usage of this new functionality could be:

    ipfw add count ip from any to any jail 2

It should be noted that because ucred based constraints
are only implemented for TCP and UDP packets, the same
applies for jail associations.

Conceptual head nod by:	pjd
Reviewed by:	rwatson
Approved by:	bmilekic (mentor)
2004-08-12 22:06:55 +00:00
..
alpha Add __elfN(dump_thread). This function is called from __elfN(coredump) 2004-08-11 02:35:06 +00:00
amd64 Mark end of frames. 2004-08-11 23:23:05 +00:00
arm Add __elfN(dump_thread). This function is called from __elfN(coredump) 2004-08-11 02:35:06 +00:00
boot Catch up with change to <machine/pte.h>. 2004-08-10 02:08:57 +00:00
cam Add support iRiver iFP MP3 player 2004-08-08 09:08:37 +00:00
coda Put a version element in the VFS filesystem configuration structure 2004-07-30 22:08:52 +00:00
compat Add __elfN(dump_thread). This function is called from __elfN(coredump) 2004-08-11 02:35:06 +00:00
conf - Introduce an ofw_bus kobj-interface for retrieving the OFW node and a 2004-08-12 17:41:33 +00:00
contrib Loopback fix from Mathieu Sauve-Frankel: 2004-08-12 14:15:42 +00:00
crypto
ddb Damage control. Correcly advance symtab and strtab pointers, not 2004-07-28 08:59:08 +00:00
dev - Use bus_space_subregion() rather than arithmetic on bus_space_handle_t. [1] 2004-08-12 20:37:02 +00:00
doc Experimental support for using doxygen to generate kernel documentation. 2004-07-11 16:13:57 +00:00
fs use bufdone() not biodone(). 2004-08-08 13:23:05 +00:00
gdb Comment-out the debugging printf I left in in case there were some 2004-08-10 19:32:33 +00:00
geom MFp4: Simplify code a bit: 2004-08-11 23:41:53 +00:00
gnu Put a version element in the VFS filesystem configuration structure 2004-07-30 22:08:52 +00:00
i4b Fix a possible hang which apparently occurs during a warm boot (cold boot 2004-07-18 20:13:31 +00:00
i386 Add __elfN(dump_thread). This function is called from __elfN(coredump) 2004-08-11 02:35:06 +00:00
ia64 In set_regs(), flush the dirty registers onto the backingstore before 2004-08-11 05:29:13 +00:00
isa Assume a finger of regular width when no width value is reported by 2004-08-08 01:26:00 +00:00
isofs/cd9660 Put a version element in the VFS filesystem configuration structure 2004-07-30 22:08:52 +00:00
kern Trim trailing white space. 2004-08-12 18:06:21 +00:00
libkern Convert the vfsconf list to a TAILQ. 2004-07-27 22:32:01 +00:00
modules - Introduce an ofw_bus kobj-interface for retrieving the OFW node and a 2004-08-12 17:41:33 +00:00
net Convert the routing table to use an UMA zone for rtentries. The zone is 2004-08-11 17:26:56 +00:00
net80211 Add a new network interface flag, IFF_NEEDSGIANT, which will allow 2004-07-27 23:20:45 +00:00
netatalk Inline umich license from COPYRIGHT to make it clear what license the 2004-08-10 03:23:05 +00:00
netatm Avoid casts as lvalues. 2004-07-28 06:59:55 +00:00
netgraph This is the netgraph node framework for the user side call control 2004-08-12 14:22:00 +00:00
netinet Add the ability to associate ipfw rules with a specific prison ID. 2004-08-12 22:06:55 +00:00
netinet6 When allocating the IPv6 header to stick in front of raw packet being 2004-08-12 18:31:36 +00:00
netipsec
netipx Avoid casts as lvalues. Declare local variable as u_char * instead of 2004-07-28 06:58:23 +00:00
netkey
netnatm
netncp
netsmb Avoid casts as lvalues. 2004-07-28 06:59:55 +00:00
nfs
nfs4client Put a version element in the VFS filesystem configuration structure 2004-07-30 22:08:52 +00:00
nfsclient Put a version element in the VFS filesystem configuration structure 2004-07-30 22:08:52 +00:00
nfsserver If debug.mpsafenet is non-zero, run the NFS server callout without 2004-07-24 02:32:27 +00:00
opencrypto Don't acquire Giant in cryptof_close(), as the code is intended to be 2004-08-10 03:26:17 +00:00
pc98 MFi386: revision 1.597. 2004-08-05 13:01:29 +00:00
pccard
pci Revert rev 1.93 and replace it by grabbing the vr lock before calling 2004-08-11 04:30:49 +00:00
posix4
powerpc - Introduce an ofw_bus kobj-interface for retrieving the OFW node and a 2004-08-12 17:41:33 +00:00
rpc fix array index out of bounds in rpc->rc_srtt[], rpc->rc_sdrtt[] 2004-07-15 22:21:25 +00:00
security * Add a "how" argument to uma_zone constructors and initialization functions 2004-08-02 00:18:36 +00:00
sparc64 - Introduce an ofw_bus kobj-interface for retrieving the OFW node and a 2004-08-12 17:41:33 +00:00
sys RFC 2292 requires to check msg_controllen, in case that the kernel returns 2004-08-11 10:18:49 +00:00
tools Pass doxygen doc comments through to the output. 2004-07-11 16:14:24 +00:00
ufs use bufdone() not biodone(). 2004-08-08 13:23:05 +00:00
vm The vm map lock is needed in vm_fault() after the page has been found, 2004-08-12 20:14:49 +00:00
Makefile