Disallow filter modification when the system is "highly secure".

Passed by dhartmei.
author: hugh <hugh@openbsd.org> 2001-06-28 10:04:19 +0000
committer: hugh <hugh@openbsd.org> 2001-06-28 10:04:19 +0000
commit: 6f52e5788366e56341bb5da6fd30501c74bdbf5d (patch)
tree: 6e6648c1522b1f2195aa472cb81c06d4d43fee5d
parent: Compile kerberos4 with -Wall (diff)
download: wireguard-openbsd-6f52e5788366e56341bb5da6fd30501c74bdbf5d.tar.xz
wireguard-openbsd-6f52e5788366e56341bb5da6fd30501c74bdbf5d.zip
1 files changed, 18 insertions, 1 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c
index d623a33e4d7..a8c16aa6f40 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf.c,v 1.81 2001/06/27 22:41:25 dhartmei Exp $ */
+/*	$OpenBSD: pf.c,v 1.82 2001/06/28 10:04:19 hugh Exp $ */
 
 /*
  * Copyright (c) 2001, Daniel Hartmeier
@@ -581,6 +581,23 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
 	if (!(flags & FWRITE))
 		return (EACCES);
 
+	if (securelevel > 1)
+		switch (cmd) {
+		case DIOCSTART:
+		case DIOCSTOP:
+		case DIOCBEGINRULES:
+		case DIOCADDRULE:
+		case DIOCCOMMITRULES:
+		case DIOCBEGINNATS:
+		case DIOCADDNAT:
+		case DIOCCOMMITNATS:
+		case DIOCBEGINRDRS:
+		case DIOCADDRDR:
+		case DIOCCOMMITRDRS:
+		case DIOCCLRSTATES:
+			return EPERM;
+		}
+
 	switch (cmd) {
 
 	case DIOCSTART:
author	hugh <hugh@openbsd.org>	2001-06-28 10:04:19 +0000
committer	hugh <hugh@openbsd.org>	2001-06-28 10:04:19 +0000
commit	6f52e5788366e56341bb5da6fd30501c74bdbf5d (patch)
tree	6e6648c1522b1f2195aa472cb81c06d4d43fee5d
parent	Compile kerberos4 with -Wall (diff)
download	wireguard-openbsd-6f52e5788366e56341bb5da6fd30501c74bdbf5d.tar.xz wireguard-openbsd-6f52e5788366e56341bb5da6fd30501c74bdbf5d.zip