hmm so by the way.. it was a mistake form my side, the pf.conf takes
the @ if the rule is:
block out on fxp1 tagged "@foo"
instead of:
block out on fxp1 tagged @foo
I allready implement it and test it would work, the question for me
is, if the uid would be necessary and the namespace is enough, because
if want to allow non-root processes to set tags, why we should need to
look for the userid, if the @ allready indicates its an
non-root-set-tag?
Here is the uipc_socket.c diff the rest didn't change since my last diff.
Good start in the week everybody!
Index: uipc_socket.c
===================================================================
RCS file: /cvs/src/sys/kern/uipc_socket.c,v
retrieving revision 1.67
diff -p -r1.67 uipc_socket.c
*** uipc_socket.c 20 Dec 2007 17:16:50 -0000 1.67
--- uipc_socket.c 9 Mar 2008 23:44:33 -0000
***************
*** 48,53 ****
--- 48,55 ----
#include <sys/resourcevar.h>
#include <sys/pool.h>
+ #include <net/pfvar.h>
+
void filt_sordetach(struct knote *kn);
int filt_soread(struct knote *kn, long hint);
void filt_sowdetach(struct knote *kn);
*************** socreate(int dom, struct socket **aso, i
*** 115,120 ****
--- 117,123 ----
so->so_rgid = p->p_cred->p_rgid;
so->so_egid = p->p_ucred->cr_gid;
so->so_cpid = p->p_pid;
+ so->so_pftag = 0;
so->so_proto = prp;
error = (*prp->pr_usrreq)(so, PRU_ATTACH, NULL,
(struct mbuf *)(long)proto, NULL);
*************** sofree(struct socket *so)
*** 188,193 ****
--- 191,200 ----
if (!soqremque(so, 0))
return;
}
+
+ if(so->so_pftag != 0)
+ pf_tag_unref(so->so_pftag);
+
sbrelease(&so->so_snd);
sorflush(so);
pool_put(&socket_pool, so);
*************** soaccept(struct socket *so, struct mbuf
*** 279,284 ****
--- 286,293 ----
else
error = ECONNABORTED;
splx(s);
+ if (!error && so->so_pftag)
+ pf_tag_ref(so->so_pftag);
return (error);
}
*************** sosetopt(struct socket *so, int level, i
*** 1085,1090 ****
--- 1094,1120 ----
}
break;
}
+
+ case SO_PFTAG:
+ {
+ char tagname[PF_TAG_NAME_SIZE] = "@";
+ if (m == NULL) {
+ error = EINVAL;
+ goto bad;
+ }
+ if(so->so_pftag != 0)
+ {
+ pf_tag_unref(so->so_pftag);
+ }
+ strlcat(tagname, mtod(m, char *), PF_TAG_NAME_SIZE);
+ so->so_pftag = pf_tagname2tag(tagname);
+ if(so->so_pftag == 0)
+ {
+ error = EINVAL; /*XXX*/
+ goto bad;
+ }
+ break;
+ }
default:
error = ENOPROTOOPT;
*************** sogetopt(struct socket *so, int level, i
*** 1173,1178 ****
--- 1203,1216 ----
mtod(m, struct timeval *)->tv_sec = val / hz;
mtod(m, struct timeval *)->tv_usec =
(val % hz) * tick;
+ break;
+ }
+ case SO_PFTAG:
+ {
+ char tagname[PF_TAG_NAME_SIZE];
+ pf_tag2tagname(so->so_pftag, tagname);
+ m->m_len = strlen(tagname) + 1;
+ strlcpy(mtod(m, char *), tagname, m->m_len);
break;
}
