From nobody Thu Jul 14 21:31:56 2022
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4LkSP85nt8z4T03Q;
	Thu, 14 Jul 2022 21:31:56 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4LkSP852zCz3gMP;
	Thu, 14 Jul 2022 21:31:56 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1657834316;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=ZvRaqViQs78rElAUbG+xGWlVHsK6HHUwQ9S3vN/DQa4=;
	b=c9SgzAKT1sDfT8WwrlYaCl9iGQDi31rVbbNjEruWyrOvckZ70kovTbzEAUYwe8Qz/osHgK
	iiLOyWf/+Vwg8iMsuv6IWCkzX/16Ja5MjwUhAD7AyJAhebAh3Bs9QPoJOYmyqNvkWNJyPn
	J0Q2Ft+AeYGSTAZ9Jrd7fJofbpmxrf3Mdut34lIb0EqNObuKl7vrwE5+lVhpBS/jv50CAX
	jgRcK8GYsklll6SBQpx3pcjhGCz7ikKz4RbAayIG+Q/pZ6xzrhOACdD/+q0GCTdGG0xKjG
	D+CSVGL2ucHm1piC2i9RluMN6+WvJ5mxSu5kV0kqLByzkjfX2mzz/FKClOaPEA==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4LkSP848RXzJ1G;
	Thu, 14 Jul 2022 21:31:56 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 26ELVu2w093892;
	Thu, 14 Jul 2022 21:31:56 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 26ELVuX8093891;
	Thu, 14 Jul 2022 21:31:56 GMT
	(envelope-from git)
Date: Thu, 14 Jul 2022 21:31:56 GMT
Message-Id: <202207142131.26ELVuX8093891@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Cy Schubert <cy@FreeBSD.org>
Subject: git: ed86cf0121f9 - stable/12 - ipfilter: Support only jails in VNET
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-all@freebsd.org
X-BeenThere: dev-commits-src-all@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: cy
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/12
X-Git-Reftype: branch
X-Git-Commit: ed86cf0121f9a28e754f605c5be6c6576cde6c64
Auto-Submitted: auto-generated
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1657834316;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=ZvRaqViQs78rElAUbG+xGWlVHsK6HHUwQ9S3vN/DQa4=;
	b=VzLG8PSCWUwdIPnCq9OB50Qm4dSNnhsRHrLpNYKeHW0wN9mNCALbpXKEtEqpKI/E6kK9cm
	FA9nF5TQLhDjz8fgCDlHy5vlkZcjaebDH0KG50b2WM/CZyZjDEm2Q5/QKGvdCy1lbEmdd7
	7HQ3xO1tkdyT2C9lKUgFoiHxt4RpFoOPQIZR9gDhOh25/6I6ntQgKQuTxjz73cK6DZgnmG
	ALhlwe7yQBdfIVWNbfnAOT2hGMQ9t/q+iNiktynyvINb4B9bY2xuPJbsZ54C/GAbvlqQvl
	cHuw+UAg1uYDxhjyc+jP+W0Cqst8g5W2RSsPSzufjUKEiY1bhPyzjTgBzIvoWw==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1657834316; a=rsa-sha256; cv=none;
	b=nmjxXjIwotHyUw4xr6vZL6obcbynUbhU5CH82Y1XtLUzZjUwSMmwfRKqqgATIQYsUvpg9L
	QEzNU4xo8FTraza0nMRnS5svcKX2kGPyC781qMAn2VZXuoIUKgMnQfYhAQKRMWqqTGj0/6
	kunObBOpzzVFJCMWYRXxeQ3b0vhS2G5gPzKEmkxqQRRPDm1nuu6h8aKH5/6e/9pX9kEvTE
	oENzD3hbLfUpz/qzld4jnZp+ocoeRAGEMpWrbrIxVBwbVjfP33uWTXxn/tSFqq51hYIQxK
	Xn6ic1jWRkLYoHzJx+dGi4oQxRH9aqBeEcLmGg2gqxRqeR3Z/suNNbalZdT2WA==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
X-ThisMailContainsUnwantedMimeParts: N

The branch stable/12 has been updated by cy:

URL: https://cgit.FreeBSD.org/src/commit/?id=ed86cf0121f9a28e754f605c5be6c6576cde6c64

commit ed86cf0121f9a28e754f605c5be6c6576cde6c64
Author:     Cy Schubert <cy@FreeBSD.org>
AuthorDate: 2022-03-17 18:05:05 +0000
Commit:     Cy Schubert <cy@FreeBSD.org>
CommitDate: 2022-07-14 13:26:47 +0000

    ipfilter: Support only jails in VNET
    
    Jails without VNET have complete access to the ipfilter rules, NAT,
    pools and logs. This is insecure. Only allow jails to manipulate
    ipfilter rules, NAT tables and ippools if the jail has its own VNET.
    Otherwise a jail can affect the global system.
    
    This patch brings ipfilter in line with ipfw's support of VNET jails and
    non-support of non-VNET jails.
    
    (cherry picked from commit c47db49ba4aa7e74afe22591a62fbda95317932d)
---
 sbin/ipf/libipf/interror.c                    |  4 +++-
 sys/netpfil/ipfilter/netinet/ip_fil_freebsd.c |  7 +++++++
 sys/netpfil/ipfilter/netinet/ip_nat.c         |  9 +++++++++
 sys/netpfil/ipfilter/netinet/mlfk_ipl.c       | 12 ++++++++++++
 4 files changed, 31 insertions(+), 1 deletion(-)

diff --git a/sbin/ipf/libipf/interror.c b/sbin/ipf/libipf/interror.c
index ca97254cb382..994fb9d2b320 100644
--- a/sbin/ipf/libipf/interror.c
+++ b/sbin/ipf/libipf/interror.c
@@ -17,7 +17,7 @@ typedef	struct	{
 
 static ipf_error_entry_t *find_error(int);
 
-#define	IPF_NUM_ERRORS	475
+#define	IPF_NUM_ERRORS	477
 
 /*
  * NO REUSE OF NUMBERS!
@@ -355,6 +355,7 @@ log" },
 	{	60073,	"unknown lookup group for next address (ipv6)" },
 	{	60074,	"unknown next address type (ipv6)" },
 	{	60075,	"one object at a time must be copied" },
+	{	60076,	"NAT ioctl denied in jail without VNET" },
 /* -------------------------------------------------------------------------- */
 	{	70001,	"incorrect object size to get pool stats" },
 	{	70002,	"could not malloc memory for new pool node" },
@@ -516,6 +517,7 @@ log" },
 	{	130015,	"ipf_init_all failed" },
 	{	130016,	"finding pfil head failed" },
 	{	130017,	"ipfilter is already initialised and running" },
+	{	130018,	"ioctl denied in jail without VNET" },
 };
 
 
diff --git a/sys/netpfil/ipfilter/netinet/ip_fil_freebsd.c b/sys/netpfil/ipfilter/netinet/ip_fil_freebsd.c
index 8202fd8b9a0c..fe2b5946fab9 100644
--- a/sys/netpfil/ipfilter/netinet/ip_fil_freebsd.c
+++ b/sys/netpfil/ipfilter/netinet/ip_fil_freebsd.c
@@ -44,6 +44,7 @@ static const char rcsid[] = "@(#)$Id$";
 #include <net/route.h>
 #include <netinet/in.h>
 #include <netinet/in_fib.h>
+#include <netinet/in_pcb.h>
 #include <netinet/in_var.h>
 #include <netinet/in_systm.h>
 #include <netinet/ip.h>
@@ -291,6 +292,12 @@ ipfioctl(struct cdev *dev, ioctlcmd_t cmd, caddr_t data,
 		return (EPERM);
 	}
 
+	if (jailed_without_vnet(p->p_cred)) {
+		V_ipfmain.ipf_interror = 130018;
+		CURVNET_RESTORE();
+		return (EOPNOTSUPP);
+	}
+
 	unit = GET_MINOR(dev);
 	if ((IPL_LOGMAX < unit) || (unit < 0)) {
 		V_ipfmain.ipf_interror = 130002;
diff --git a/sys/netpfil/ipfilter/netinet/ip_nat.c b/sys/netpfil/ipfilter/netinet/ip_nat.c
index f448ce19b46a..835a1b3f848e 100644
--- a/sys/netpfil/ipfilter/netinet/ip_nat.c
+++ b/sys/netpfil/ipfilter/netinet/ip_nat.c
@@ -42,6 +42,9 @@ struct file;
 #include <sys/socket.h>
 #if defined(_KERNEL)
 # include <sys/systm.h>
+# if defined(__FreeBSD__)
+#  include <sys/jail.h>
+# endif
 # if !defined(__SVR4)
 #  include <sys/mbuf.h>
 # endif
@@ -999,6 +1002,12 @@ ipf_nat_ioctl(ipf_main_softc_t *softc, caddr_t data, ioctlcmd_t cmd,
 		IPFERROR(60001);
 		return (EPERM);
 	}
+# if defined(__FreeBSD__)
+	if (jailed_without_vnet(curthread->td_ucred)) {
+		IPFERROR(60076);
+		return (EOPNOTSUPP);
+	}
+# endif
 #endif
 
 	getlock = (mode & NAT_LOCKHELD) ? 0 : 1;
diff --git a/sys/netpfil/ipfilter/netinet/mlfk_ipl.c b/sys/netpfil/ipfilter/netinet/mlfk_ipl.c
index 36ddc29453be..0b37dab558aa 100644
--- a/sys/netpfil/ipfilter/netinet/mlfk_ipl.c
+++ b/sys/netpfil/ipfilter/netinet/mlfk_ipl.c
@@ -369,6 +369,9 @@ sysctl_ipf_int ( SYSCTL_HANDLER_ARGS )
 static int
 sysctl_ipf_int_nat ( SYSCTL_HANDLER_ARGS )
 {
+	if (jailed_without_vnet(curthread->td_ucred))
+		return (0);
+
 	ipf_nat_softc_t *nat_softc;
 
 	nat_softc = V_ipfmain.ipf_nat_soft;
@@ -380,6 +383,9 @@ sysctl_ipf_int_nat ( SYSCTL_HANDLER_ARGS )
 static int
 sysctl_ipf_int_state ( SYSCTL_HANDLER_ARGS )
 {
+	if (jailed_without_vnet(curthread->td_ucred))
+		return (0);
+
 	ipf_state_softc_t *state_softc;
 
 	state_softc = V_ipfmain.ipf_state_soft;
@@ -391,6 +397,9 @@ sysctl_ipf_int_state ( SYSCTL_HANDLER_ARGS )
 static int
 sysctl_ipf_int_auth ( SYSCTL_HANDLER_ARGS )
 {
+	if (jailed_without_vnet(curthread->td_ucred))
+		return (0);
+
 	ipf_auth_softc_t *auth_softc;
 
 	auth_softc = V_ipfmain.ipf_auth_soft;
@@ -402,6 +411,9 @@ sysctl_ipf_int_auth ( SYSCTL_HANDLER_ARGS )
 static int
 sysctl_ipf_int_frag ( SYSCTL_HANDLER_ARGS )
 {
+	if (jailed_without_vnet(curthread->td_ucred))
+		return (0);
+
 	ipf_frag_softc_t *frag_softc;
 
 	frag_softc = V_ipfmain.ipf_frag_soft;