27c27
< __FBSDID("$FreeBSD: head/sys/netinet/ipfw/ip_fw2.c 193894 2009-06-10 10:34:59Z luigi $");
---
> __FBSDID("$FreeBSD: head/sys/netinet/ipfw/ip_fw2.c 194498 2009-06-19 17:10:35Z brooks $");
138,150d137
< * Data structure to cache our ucred related
< * information. This structure only gets used if
< * the user specified UID/GID based constraints in
< * a firewall rule.
< */
< struct ip_fw_ugid {
< gid_t fw_groups[NGROUPS];
< int fw_ngroups;
< uid_t fw_uid;
< int fw_prid;
< };
<
< /*
2012,2023d1998
< static void
< fill_ugid_cache(struct inpcb *inp, struct ip_fw_ugid *ugp)
< {
< struct ucred *cr;
<
< cr = inp->inp_cred;
< ugp->fw_prid = jailed(cr) ? cr->cr_prison->pr_id : -1;
< ugp->fw_uid = cr->cr_uid;
< ugp->fw_ngroups = cr->cr_ngroups;
< bcopy(cr->cr_groups, ugp->fw_groups, sizeof(ugp->fw_groups));
< }
<
2027c2002
< u_int16_t src_port, struct ip_fw_ugid *ugp, int *ugid_lookupp,
---
> u_int16_t src_port, struct ucred **uc, int *ugid_lookupp,
2035d2009
< gid_t *gp;
2045c2019
< fill_ugid_cache(inp, ugp);
---
> *uc = crhold(inp->inp_cred);
2078c2052
< fill_ugid_cache(pcb, ugp);
---
> *uc = crhold(inp->inp_cred);
2094,2103c2068,2072
< match = (ugp->fw_uid == (uid_t)insn->d[0]);
< else if (insn->o.opcode == O_GID) {
< for (gp = ugp->fw_groups;
< gp < &ugp->fw_groups[ugp->fw_ngroups]; gp++)
< if (*gp == (gid_t)insn->d[0]) {
< match = 1;
< break;
< }
< } else if (insn->o.opcode == O_JAIL)
< match = (ugp->fw_prid == (int)insn->d[0]);
---
> match = ((*uc)->cr_uid == (uid_t)insn->d[0]);
> else if (insn->o.opcode == O_GID)
> match = groupmember((gid_t)insn->d[0], *uc);
> else if (insn->o.opcode == O_JAIL)
> match = ((*uc)->cr_prison->pr_id == (int)insn->d[0]);
2181,2182c2150,2151
< struct ip_fw_ugid fw_ugid_cache;
< int ugid_lookup = 0;
---
> struct ucred *ucred_cache = NULL;
> int ucred_lookup = 0;
2644,2645c2613,2614
< src_ip, src_port, &fw_ugid_cache,
< &ugid_lookup, args->inp);
---
> src_ip, src_port, &ucred_cache,
> &ucred_lookup, args->inp);
3272a3242,3243
> if (ucred_cache != NULL)
> crfree(ucred_cache);
3477a3449,3450
> if (ucred_cache != NULL)
> crfree(ucred_cache);
3485a3459,3460
> if (ucred_cache != NULL)
> crfree(ucred_cache);
< __FBSDID("$FreeBSD: head/sys/netinet/ipfw/ip_fw2.c 193894 2009-06-10 10:34:59Z luigi $");
---
> __FBSDID("$FreeBSD: head/sys/netinet/ipfw/ip_fw2.c 194498 2009-06-19 17:10:35Z brooks $");
138,150d137
< * Data structure to cache our ucred related
< * information. This structure only gets used if
< * the user specified UID/GID based constraints in
< * a firewall rule.
< */
< struct ip_fw_ugid {
< gid_t fw_groups[NGROUPS];
< int fw_ngroups;
< uid_t fw_uid;
< int fw_prid;
< };
<
< /*
2012,2023d1998
< static void
< fill_ugid_cache(struct inpcb *inp, struct ip_fw_ugid *ugp)
< {
< struct ucred *cr;
<
< cr = inp->inp_cred;
< ugp->fw_prid = jailed(cr) ? cr->cr_prison->pr_id : -1;
< ugp->fw_uid = cr->cr_uid;
< ugp->fw_ngroups = cr->cr_ngroups;
< bcopy(cr->cr_groups, ugp->fw_groups, sizeof(ugp->fw_groups));
< }
<
2027c2002
< u_int16_t src_port, struct ip_fw_ugid *ugp, int *ugid_lookupp,
---
> u_int16_t src_port, struct ucred **uc, int *ugid_lookupp,
2035d2009
< gid_t *gp;
2045c2019
< fill_ugid_cache(inp, ugp);
---
> *uc = crhold(inp->inp_cred);
2078c2052
< fill_ugid_cache(pcb, ugp);
---
> *uc = crhold(inp->inp_cred);
2094,2103c2068,2072
< match = (ugp->fw_uid == (uid_t)insn->d[0]);
< else if (insn->o.opcode == O_GID) {
< for (gp = ugp->fw_groups;
< gp < &ugp->fw_groups[ugp->fw_ngroups]; gp++)
< if (*gp == (gid_t)insn->d[0]) {
< match = 1;
< break;
< }
< } else if (insn->o.opcode == O_JAIL)
< match = (ugp->fw_prid == (int)insn->d[0]);
---
> match = ((*uc)->cr_uid == (uid_t)insn->d[0]);
> else if (insn->o.opcode == O_GID)
> match = groupmember((gid_t)insn->d[0], *uc);
> else if (insn->o.opcode == O_JAIL)
> match = ((*uc)->cr_prison->pr_id == (int)insn->d[0]);
2181,2182c2150,2151
< struct ip_fw_ugid fw_ugid_cache;
< int ugid_lookup = 0;
---
> struct ucred *ucred_cache = NULL;
> int ucred_lookup = 0;
2644,2645c2613,2614
< src_ip, src_port, &fw_ugid_cache,
< &ugid_lookup, args->inp);
---
> src_ip, src_port, &ucred_cache,
> &ucred_lookup, args->inp);
3272a3242,3243
> if (ucred_cache != NULL)
> crfree(ucred_cache);
3477a3449,3450
> if (ucred_cache != NULL)
> crfree(ucred_cache);
3485a3459,3460
> if (ucred_cache != NULL)
> crfree(ucred_cache);